AUTHENTICATED 
U.S. GOVERNMENT 
INFORMATION ^ 


THE CONSUMER PRIVACY 
PROTECTION ACT OF 2002 


HEARING 

BEFORE THE 

SUBCOMMITTEE ON 

COMMERCE, TRADE, AND CONSUMER PROTECTION 

OF THE 

COMMITTEE ON ENERGY AND 
COMMERCE 

HOUSE OF REPRESENTATIVES 

ONE HUNDRED SEVENTH CONGRESS 
SECOND SESSION 
ON 

H.R. 4678 


SEPTEMBER 24, 2002 


Serial No. 107-131 


Printed for the use of the Committee on Energy and Commerce 



Available via the World Wide Web: http://www.access.gpo.gov/congress/house 


U.S. GOVERNMENT PRINTING OFFICE 
81-960PS WASHINGTON : 2002 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512—1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON ENERGY AND COMMERCE 


W.J. “BILLY” TAUZIN, Louisiana, Chairman 


MICHAEL BILIRAKIS, Florida 

JOE BARTON, Texas 

FRED UPTON, Michigan 

CLIFF STEARNS, Florida 

PAUL E. GILLMOR, Ohio 

JAMES C. GREENWOOD, Pennsylvania 

CHRISTOPHER COX, California 

NATHAN DEAL, Georgia 

RICHARD BURR, North Carolina 

ED WHITFIELD, Kentucky 

GREG GANSKE, Iowa 

CHARLIE NORWOOD, Georgia 

BARBARA CUBIN, Wyoming 

JOHN SHIMKUS, Illinois 

HEATHER WILSON, New Mexico 

JOHN B. SHADEGG, Arizona 

CHARLES “CHIP” PICKERING, Mississippi 

VITO FOSSELLA, New York 

ROY BLUNT, Missouri 

TOM DAVIS, Virginia 

ED BRYANT, Tennessee 

ROBERT L. EHRLICH, Jr., Maryland 

STEVE BUYER, Indiana 

GEORGE RADANOVICH, California 

CHARLES F. BASS, New Hampshire 

JOSEPH R. PITTS, Pennsylvania 

MARY BONO, California 

GREG WALDEN, Oregon 

LEE TERRY, Nebraska 

ERNIE FLETCHER, Kentucky 


JOHN D. DINGELL, Michigan 
HENRY A. WAXMAN, California 
EDWARD J. MARKEY, Massachusetts 
RALPH M. HALL, Texas 
RICK BOUCHER, Virginia 
EDOLPHUS TOWNS, New York 
FRANK P ALT .ONE, Jr., New Jersey 
SHERROD BROWN, Ohio 
BART GORDON, Tennessee 
PETER DEUTSCH, Florida 
BOBBY L. RUSH, Illinois 
ANNA G. ESHOO, California 
BART STUPAK, Michigan 
ELIOT L. ENGEL, New York 
TOM SAWYER, Ohio 
ALBERT R. WYNN, Maryland 
GENE GREEN, Texas 
KAREN MCCARTHY, Missouri 
TED STRICKLAND, Ohio 
DIANA DeGETTE, Colorado 
THOMAS M. BARRETT, Wisconsin 
BILL LUTHER, Minnesota 
LOIS CAPPS, California 
MICHAEL F. DOYLE, Pennsylvania 
CHRISTOPHER JOHN, Louisiana 
JANE HARMAN, California 


David V. Marventano, Staff Director 
James D. Barnette, General Counsel 
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel 


Subcommittee on Commerce, Trade, and Consumer Protection 
CLIFF STEARNS, Florida, Chairman 


FRED UPTON, Michigan 
NATHAN DEAL, Georgia 
Vice Chairman 
ED WHITFIELD, Kentucky 
BARBARA CUBIN, Wyoming 
JOHN SHIMKUS, Illinois 
JOHN B. SHADEGG, Arizona 
ED BRYANT, Tennessee 
GEORGE RADANOVICH, California 
CHARLES F. BASS, New Hampshire 
JOSEPH R. PITTS, Pennsylvania 
MARY BONO, California 
GREG WALDEN, Oregon 
LEE TERRY, Nebraska 
ERNIE FLETCHER, Kentucky 
W.J. "BILLY” TAUZIN, Louisiana 
(Ex Officio) 


EDOLPHUS TOWNS, New York 
DIANA DeGETTE, Colorado 
LOIS CAPPS, California 
MICHAEL F. DOYLE, Pennsylvania 
CHRISTOPHER JOHN, Louisiana 
JANE HARMAN, California 
HENRY A. WAXMAN, California 
EDWARD J. MARKEY, Massachusetts 
BART GORDON, Tennessee 
PETER DEUTSCH, Florida 
BOBBY L. RUSH, Illinois 
ANNA G. ESHOO, California 
JOHN D. DINGELL, Michigan, 

(Ex Officio) 


(II) 


2 



CONTENTS 


Page 

Testimony of: 

Barrett, Jennifer, Chief Privacy Officer, Acxiom Corporation 23 

Misener, Paul, Vice President, Global Public Policy, Amazon.com 31 

Palafoutas, John P., Senior Vice President, Domestic Policy and Congres- 
sional Affairs, AeA 7 

Rotenberg, Marc, Executive Director, Electronic Privacy Information Cen- 
ter 35 

Schall, John A., Executive Director, National Business Coalition on E- 

commerce and Privacy 15 

Servidea, Philip D., Vice President, Government Affairs, NCR Corpora- 
tion 12 

Whitener, Rebecca, Director of Privacy Services, EDS 19 

(hi) 


3 




THE CONSUMER PRIVACY PROTECTION ACT 

OF 2002 


TUESDAY, SEPTEMBER 24, 2002 

House of Representatives, 

Committee on Energy and Commerce, 

Subcommittee on Commerce, Trade and 

Consumer Protection, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 9 a.m., in room 
2322, Rayburn House Office Building, Hon. Cliff Stearns (chair- 
man) presiding. 

Members present: Representatives Stearns, Bass, Walden, and 
Harman. 

Also present: Representative Boucher. 

Staff present: Ramsen Betfarhad, majority counsel; Yong Choe, 
legislative clerk; and Jonathan J. Cordone, minority counsel. 

Mr. Stearns. The subcommittee will come to order. 

And good morning. I apologize; I was a little late, and I thank 
my colleague for her patience. Thank you, Mr. Boucher. 

Let me just say I welcome our distinguished witnesses to this 
legislative hearing on our bill, H.R. 4678, the Consumer Privacy 
Protection Act of 2002. 

I guess about a year and a half ago our committee began cre- 
ating, I think one of the most exhaustive set of hearings dealing 
with this type of legislation. We had six hearings on privacy, and 
it was a workout to get these hearings, particularly because there 
was no need, it appeared, when we requested these hearings, be- 
cause the chairman and others said, Well, I’m not sure we need it. 

But I think, as many in the audience would say today, that there 
is going to be a need. So I decided to go ahead, and after careful 
examination, we had these six hearings; and we were very pleas- 
antly surprised. 

We took the basic premise that we wanted to do no harm to the 
Internet. The Federal information privacy legislation should ensure 
that no harm comes to the consumer from unwanted breaches of 
their information privacy, and at the same time, it should not 
harm — most importantly today — economic growth by hurting the 
sharing of consumer information. So our bill, H.R. 4678, I think 
goes a long way to establishing that balance. Now, perhaps — a lot 
of you will probably agree. 

I think today we are going to feather out some of the nuances 
of my privacy bill and also that Senator Fritz Hollings has. I like 
to use this quote — I am not necessarily an avid fan of Ayn Rand, 
but she did say at one time that “Civilization is the progress to- 
ll) 



2 


ward a society of privacy. The savage’s whole existence is public, 
ruled by the laws of his tribe. Civilization is the process of setting 
man free from men.” 

So here in America, where we enjoy an open society, we cherish 
our privacy too. With the advent of on-line data collection, the 
American consumer’s information privacy concerns have rightfully 
been heightened. As individuals and businesses turn to computers 
and computer networks for commercial and personal reasons, mas- 
sive volumes of personal information are generated, collected and 
stored for personal, governmental and commercial activities. 

All of these activities generate a footprint of sorts: personal data. 
And that footprint, in turn, has heightened consumers’ concern 
over their personal information privacy. The fact is that personal 
data is collected both online and offline. The collection of consumer 
data on line is just a new dimension of a very old practice, al- 
though an increasingly significant one. 

Moreover, consumer information, whether collected online or off- 
line, is aggregated into the same data bases and processed by the 
same computers without regard to the source of that data. The con- 
sumers’ legitimate concerns over their information privacy must, in 
turn, be weighed against the fact that our economy is highly con- 
sumer information dependent as it is a consumer-based economy 
where over two-thirds of our gross domestic product is comprised 
of consumer spending, and that is nearly $7 trillion. 

Historically, consumer information has played an important role 
in our economic growth. The free flow of consumer information has 
served all of us as American consumers well throughout our mod- 
ern economic history. Any Federal law or regulation that unduly 
burdens information sharing may bring about a substantial and 
negative impact, of course, on our economy. Therefore, any Federal 
legislation intended to be responsive to the public’s information pri- 
vacy concerns must include within its scope protection from both 
unwanted on-line and off-line data collection and use activities, and 
balance those protections against the legitimate consumer informa- 
tion gleaning and sharing activities of a consumer-based economy; 
and I think our bill does just that. 

Shortly after the conclusion of our hearings I offered some basic 
principles. We have outlined these seven principles that we have 
and believe that the Consumer Privacy Protection Act of 2002 is a 
very meaningful effort for all of us. The bill mandates a privacy 
policy and statement. The bill requires that any organization col- 
lecting, selling or using consumer’s personally identifiable informa- 
tion for a purpose unrelated to the consumer transaction must es- 
tablish a privacy policy, and the principal elements of that privacy 
policy must be accessible to the consumer at the time the organiza- 
tion first collects this personally identifiable information and subse- 
quently. 

In addition, a data collector must provide the consumer with the 
opportunity to preclude the sale or disclosure of his or her PII to 
any other data collector and user. As noted in our bill, it applies 
to both online and offline, and that has been our policy from the 
very beginning. 

It preempts States’ action, forecloses private right of action, and 
vests in the FTC the exclusive authority to enforce its provisions. 



3 


The bill entails a novel cyber security provision designed to im- 
prove the integrity of consumer data and a provision addressing 
the interplay between the U.S. privacy protection and those of 
other countries. 

And finally, my colleagues, the bill fosters self-regulatory pro- 
grams by defining the outer parameters of what would constitute 
an acceptable privacy program. 

I think all of us in the aftermath of the September 11 terrorist 
attack, the American people and the government, have understand- 
ably focused on enhancing security. Although protecting our citi- 
zens is the top priority of Congress, I do not want to see the issue 
of consumer information privacy overwhelmed by the events of 9/ 
11. Even as a Nation wages war on global terrorism, it is appro- 
priate that Congress still considers the matter of information pri- 
vacy. 

I will conclude by stating that I think we have a balanced and 
bipartisan bill, and the American consumer is empowered with in- 
formation about what is done with his or her personally identifi- 
able information so that he or she can make an informed choice. 
Commerce, in turn — and this is very important — is spared the 
undue burden of regulation that could follow. 

So I look forward to our witnesses, and I want to thank them. 

And the gentlelady from California. 

Ms. Harman. Thank you, Mr. Chairman. I have obviously ad- 
vanced in seniority on this committee at a rapid rate, and I appre- 
ciate it. I want to apologize, first, to you and Mr. Boucher and our 
witnesses for the fact that I must leave at 9:45. I am a member 
of what’s called the Joint Inquiry — it sounds very British to me — 
which is looking into the plot of 9/11 and what reforms we might 
be able to make; and while I agree with you that 9/11 should not 
shape our views on every issue, it certainly does seem to me that 
we must still focus on it and the threats that may come after it. 

But when I leave, I will hand over this ranking position to Mr. 
Boucher, a senior member, a real senior member of the full com- 
mittee and a cosponsor of this bill; and I trust that you will agree 
that he will ably carry out these duties. 

I want to commend you for the efforts you made before you intro- 
duced the bill to reach for all the members of the subcommittee. 
I was one of the people reached for. You asked me my views, you 
urged me to cosponsor the bill; and at that time I said that I 
thought it was a good bill, but I would prefer to hold off in order 
to reflect very carefully on whether you had achieved a balance 
that I thought would work between the need to foster technology 
and the need to protect privacy. 

Having thought about it for a couple of months, I thought I 
would come to your hearing to tell you that I have now decided to 
cosponsor the bill. 

Mr. Stearns. Appreciate your support. 

Ms. Harman. Well, you are welcome. 

And I appreciate the way you worked on this and I appreciate 
the fact that you have put together a very able panel, which I am 
sure will make suggestions to us that could improve this product 
further. 



4 


I don’t think you are claiming perfection here, Mr. Chairman. As 
a mother of four, I often say that perfection is not an option. But 
I think you have a very good working document, and if better ideas 
are suggested, I am sure you will be open to better ideas. 

So I just want to say that I am proud to cosponsor your legisla- 
tion. I think this is an excellent panel, and I look forward to get- 
ting smarter as we hear from these witnesses. 

And finally, I would like to ask unanimous consent that any 
other members’ opening statements be inserted into the record. 

Mr. Stearns. By unanimous consent, so ordered. 

And I thank the gentlelady from California, Ms. Harman, for 
your support; and I think you know, you are not a senior member 
in the one sense, but you are senior in another since you have been 
here twice, and that creates a lot of wisdom which a lot of us don’t 
have. 

So — having run for Governor, you bring to the table a lot of per- 
spective, and so your support will be very helpful, I think, for a lot 
of our colleagues. 

Ms. Harman. I thank you for that. I would just observe, however, 
that I call myself the repeater in Congress; and it may make me 
smarter or it may make me dumber for going through this again. 

Mr. Stearns. It is my pleasure to welcome an opening statement 
from Mr. Boucher from Virginia, who is an original cosponsor with 
me and has been very helpful in the whole development of this bill. 
So a lot of the credit for this bill also comes from his participation, 
and I welcome his opening statement. 

Mr. Boucher. Well, thank you very much, Mr. Chairman. I ap- 
preciate your inviting me to take part in the hearing today. While 
not a member of this subcommittee, I have a deep and abiding in- 
terest in this subject matter. And I am pleased to take part in the 
hearing. 

I want to commend you, Mr. Chairman, for your leadership in 
the development of the privacy measure we have before us, and I 
am pleased to be an original coauthor of the measure. The bill 
would establish a baseline set of guarantees for personal privacy 
with respect to personally identifiable information collected by Web 
site operators and by off-line entities that use information for com- 
mercial purposes. 

The requirements of the bill are straightforward and would be in 
the nature of a minimum set of guarantees. These guarantees pro- 
tect consumers while promoting effective and unhindered electronic 
commerce. First, each Web site and off-line entity would be re- 
quired to provide a clear locus of what information about con- 
sumers is collected and then how that information is used by the 
party that collects it. 

As a second right, after reviewing the privacy statement, the con- 
sumer would be able to decline to have information about him col- 
lected. We commonly refer to this as an opt-out provision. 

As a third matter, the Federal Trade Commission would be em- 
powered to assure compliance with the basic privacy guarantees af- 
forded. 

And as a fourth matter, the legislation declares that these guar- 
antees are the true national policy, and the bill preempts any in- 
consistent or more onerous requirements that would be imposed by 



5 


a State or local government. Were each of the 50 States to impose 
its own privacy laws, it would be exceedingly difficult, if not impos- 
sible, for companies doing business nationwide to comply with 
these varying requirements. 

The bill also makes it clear that the baseline Federal guarantees 
set forth in this legislation do not affect other, more specific Fed- 
eral privacy requirements. So if a particular industrial sector is 
subject to some other more precise Federal privacy regime, then 
that set of privacy laws would apply and the provisions of this bill 
would not. 

A number of benefits will flow from passage of the measure. It 
would assure that all Web sites and commercial users of personally 
identifiable information respect privacy. While well-known commer- 
cial sites tend to be members of self-regulatory programs and gen- 
erally respect the privacy rights of their users, many smaller Web 
sites do not belong to the SROs, and currently collect information 
about users without any privacy guarantees. 

All Web site operators and off-line entities which collect informa- 
tion for commercial purposes other than some very small busi- 
nesses and certain nonprofit entities would be covered by the bill 
that we are putting forward. By establishing only a minimum set 
of guarantees, the bill fully preserves the ability of conditions to 
offer higher levels of privacy and then market these increased pro- 
tections as a competitive advantage. 

In my experience, consumers use privacy along with convenience, 
quality, selection, price and other factors in order to distinguish 
among competing electronic commerce services. Enhanced privacy 
protection can become a true competitive asset to businesses that 
want to step up above the minimum guarantees required in the 
law. 

Through the legislation that we are putting forth, Congress 
would also send the powerful message that both the privacy of our 
citizens as well the free flow of information for unencumbered glob- 
al electronic commerce are of paramount concern. With the strong 
enforcement mechanisms in place in the U.S. and the specific en- 
forcement mechanisms added by this bill the measure would assure 
a corset of enforceable privacy rights for American consumers. 

Mr. Chairman, I think this a valuable effort, and I want to com- 
mend you for the work that you have done. It has been my privi- 
lege to partner with you in this, and I hope that we can succeed 
in passing the bill. Thank you. 

Mr. Stearns. I thank my colleague. 

[Additional statements submitted for the record follow:] 

Prepared Statement of Hon. Charles F. Bass, a Representative in Congress 
from the State of New Hampshire 

Thank you, Mr. Chairman, for holding this hearing and building on this sub- 
committee’s impressive record of examining the issues relevant to privacy and the 
protection of consumers. 

Mr. Chairman, as I look forward to today’s testimony, I am anxious to hear from 
the many assembled witnesses, and will thus be brief. 

I am a cosponsor of this H.R. 4678 because I believe it is the best effort any com- 
mittee in either chamber has put forward to address the legitimate problems that 
exist for consumers. I am particularly pleased with the bill’s: 

• rejection of distinction between data collected offline and online; 



6 


• with its federal jurisdictional protection of what may well be inherently Interstate 

commerce; and 

• significant further progress on identity theft. 

The combined weight of these strengths plus the clarity the bill brings to the 
international trade arena make it an effort worth supporting. I look forward to the 
testimony and a later opportunity to use these comments to improve on this draft 


Prepared Statement of Hon. W. J. “Billy” Tauzin, Chairman, Committee on 
Energy and Commerce 

Thank you, Mr. Chairman, and let me commend you, first of all, for the extraor- 
dinary effort you and the Subcommittee members have put into this complex and 
intricate issue of consumer privacy. I believe this good work shows in the thought- 
ful, comprehensive new bill that is the subject of today’s hearing. 

One reason I am a cosponsor of H.R. 4678 is because of your careful consideration 
of the issue as you crafted this legislation: you have listened to all sides, all inter- 
ested parties, and worked off an extensive record of some six privacy hearings held 
by this Subcommittee this Congress. The result, I believe, promises to be a signifi- 
cant enhancement of the privacy protections for American consumers when con- 
ducting commercial transactions. 

The hearing process behind this bill brought out a fact that we must remember 
as we move forward: There are legitimate consumer concerns about how companies 
collect and use information. There are also actual abuses of consumer privacy occur- 
ring in the marketplace today. Whether or not such abuses cause direct harm, they 
can still harm consumer trust and confidence, which can produce a chilling effect 
on the expansion of goods and services available to consumers overall. 

Of course, leading companies, often those with the biggest brand names, under- 
stand the value of protecting consumer privacy. They realize that making consumers 
comfortable about their privacy practices is good for business. They also understand 
that betraying consumer trust is business suicide. If all companies were like those 
leading the pack, then this legislation might not be needed. 

But this is not the case. We know there are some bad actors, a small minority 
of companies and individuals causing the greatest grief for consumers. There is also 
a host of companies that haven’t made privacy a priority for their business. And so 
I think there is need for targeted legislation to provide additional privacy protec- 
tions for consumers. 

This will provide a standard level of federal law to govern privacy of consumers 
in those areas not already covered by law. It brings everyone up to the level where 
the good guys already are. We are going to raise the tide. 

H.R. 4678 embodies a principal that I think is essential for any new commercial 
privacy legislation: promote consumers’ privacy without unfairly hampering current 
commercial activity and the vast consumer benefits generated by information shar- 
ing. 

The many components of this bill align well with my position on privacy legisla- 
tion. For example, I will not support a bill that takes a medium-specific approach 
to privacy, such as applying only to Internet transactions. Today’s information col- 
lection activities are not bound by any one medium. Companies generally don’t build 
separate databases or have differing privacy regimes based on the medium used to 
collect consumer data. And we should not legislate as if they do. 

We also cannot have 50 different laws for information sharing, which will only 
stifle interstate commerce — a scenario that gets even worse if localities start to jump 
on the bandwagon. I’m pleased, Mr. Chairman, to see the bill takes a firm stance 
towards state preemption. 

We must also ensure that consumers have the information they need to make 
educated decisions about the information collected and used about them. So I’m also 
pleased to see that H.R. 4678 includes a detailed process to empower and educate 
consumers about company privacy practices through notices and statements. 

And given that the sale of information has been one of the strongest concerns 
raised during the hearings, the bill appropriately includes an important obligation 
to permit the consumer to preclude the sale of information from one company to an- 
other. But it doesn’t mandate that this be either opt-in or opt-out — as broadly lock- 
ing in this decision is not in the best interest of consumers. 

Because privacy intersects so many difficult issues, the list of essential measures 
needed to navigate this terrain is too long to go into here. Suffice to say, I’m also 
pleased to see the bill takes solid, defendable stances on other necessary fronts. 

It emphatically makes clear that self-regulation is a necessary part of the process. 
It includes a lengthy and extensive self-regulatory mechanism to allow privacy orga- 



7 


nizations to police the actions of its members with an FTC backstop, if necessary. 
This should increase compliance and ease the process consumers have to deal with 
to get a problem resolved. 

On the legal front: The bill bans private rights of action, which will prevent harm- 
ful lawsuits and limit legal shenanigans. It is proper to do this because the bill in- 
cludes strong authority for the FTC to take enforcement action against violators — 
and we expect vigilance by the FTC in this matter. 

Lastly, the bill would deploy new information security obligations and has spe- 
cific, targeted fixes for identity theft and an extensive provision dealing with the 
international aspect of this law. All are needed and worthy provisions. 

I will encourage all Members to join this effort, and be part of this bipartisan, 
balanced approach. No one should assume that every word and comma of the bill 
is locked in stone. On the contrary, we will be open to discussions on how best to 
improve the bill — without gutting essential principles. If we work together perhaps 
we can work through any perceived shortfalls. 

Let me add that we also have no set agenda for moving the bill. We will decide 
where to go after the hearing. As I stated during the privacy hearings last year, 
we are set on our own, determined course here. We certainly haven’t designed this 
bill as a response to the Senate’s work. This measure builds on our own thoughtful 
process. 

Thank you again Mr. Chairman, and I look forward to the witness testimony. 

Mr. Stearns. We welcome our panel. John Palafoutas, Senior 
Vice President, Domestic Policy, AeA; Mr. Phillip Servidea, Vice 
President, Government Operations, NCR; John Schall, Executive 
Director, National Business Coalition on E-Commerce and Privacy; 
Ms. Rebecca Whitener, Director of Privacy Services, EDS Security 
& Privacy Services; Ms. Jennifer Barrett, Chief Privacy Officer, 
Acxiom; Paul Misener, Vice President, Global Public Policy, Ama- 
zon.com; and Mark Rotenberg, the Executive Director of Electronic 
Privacy Information Center. 

Let me thank all of you for coming, and I welcome your opening 
statements. We will just start from my left to my right. 

STATEMENTS OF JOHN P. PALAFOUTAS, SENIOR VICE PRESI- 
DENT, DOMESTIC POLICY AND CONGRESSIONAL AFFAIRS, 
AeA; PHILIP D. SERVIDEA, VICE PRESIDENT, GOVERNMENT 
AFFAIRS, NCR CORPORATION; JOHN A. SCHALL, EXECUTIVE 
DIRECTOR, NATIONAL BUSINESS COALITION ON E-COM- 
MERCE AND PRIVACY; REBECCA WHITENER, DIRECTOR OF 
PRIVACY SERVICES, EDS; JENNIFER BARRETT, CHIEF PRI- 
VACY OFFICER, ACXIOM CORPORATION; PAUL MISENER, 
VICE PRESIDENT, GLOBAL PUBLIC POLICY, AMAZON.COM; 
AND MARC ROTENBERG, EXECUTIVE DIRECTOR, ELEC- 
TRONIC PRIVACY INFORMATION CENTER 

Mr. Palafoutas. Thank you, Mr. Chairman. The first thing I 
want to do is comment on the process that you employed on this 
bill, which I think was extremely important. People forget in the 
swirl of Internet privacy and the Internet that the Internet is a 
new — it is a new medium. It is a new industry. It is 8 years old. 

And there has been a lot of hyperbole, both on our side and on 
other sides, of the Internet and its use. And the process that you 
and the Democratic members employ on this bill was extremely im- 
portant because you brought consumer groups in, privacy act advo- 
cates and the high tech industry. And I can’t tell you how impor- 
tant that was as a model for this body, and I hope for the other 
body, to use in coming up with good privacy legislation. 

We face this problem all the time at AeA. As you know — and you 
spoke to our board, Mr. Chairman, on this bill a few months ago — 



8 


AeA is one of the largest high tech trade associations in the coun- 
try. And the reason we got involved in this early is because we 
have operations in 18 cities around the country and we lobby in a 
dozen States. And our board became concerned because we saw the 
proliferation, the possible proliferation, of privacy rules at the State 
level and this concerned us because the big question of interstate 
commerce and the proliferation of 50 State regimes on privacy is 
extremely — of great concern to us. 

And it is amplified by the fact that some of the State legislatures 
are only meeting part-time, and while they are good decent people, 
they are not spending the time that this body can in coming up 
with the kind of legislation, getting the kind of background that we 
need on this. 

We saw this most clearly this past summer in Minnesota. Min- 
nesota and California have been the first two States to pass Inter- 
net privacy laws. The Minnesota model is the one that scares in- 
dustry the most. It was done in a politically overheated atmos- 
phere. It was not a bipartisan bill. It was being pushed through as 
part of the election year, and we got what we consider as pretty 
bad legislation. In fact we are going to spend a lot of resources, 
both time and money, in taking this bill to court because of the 
issues that it brings up. 

And we are glad that this bill, with its strong preemption, is 
going to provide the kind of context that the industry needs, be- 
cause now that we have a bill in California and a bill in Minnesota, 
what we are concerned about at AeA is that we are going to see 
more and more States using these as a template, and they are 
going to go out — and now that this is the floor, they are going to 
start to implement other legislation that really causes a great con- 
cern to our industry. And because of, again, our large lobbying ac- 
tivity at the State level, we have seen that legislatures are not fo- 
cused on this as they should. 

The other thing that this bill highlights — and it is important for 
the members to see — is, nobody is more concerned about consumer 
confidence than our member companies. I need to say that again. 
Nobody is more concerned about consumer confidence than our 
member companies. If consumers don’t have confidence in a Web 
site, they are going to go somewhere else. If they think that their 
information is being misused, they are going to go somewhere else. 
And I think what your bill has done is strike a proper balance in 
saying, Here’s the rules; but, consumers, you have responsibilities 
too. 

So in both the preemption and in the choice provisions we see 
very strong and important provisions because we believe that con- 
sumers should have a choice. But it is a choice that is dictated be- 
tween them and the provider of the service that they are getting 
over the Internet, whether it is — in this case, you provide for an 
opt-out, which I think is very important. 

Certain companies in our industry have an opt-in model for their 
business model. We think that is perfectly appropriate. But it 
should be part of that implicit and probably sometimes explicit con- 
tract that the companies have with the consumer. 

Your bill comports with our privacy principles that we have out- 
lined in our written testimony and we have conveyed to your staff. 



9 


And I have to comment a little bit on your staff. I state in my 
written comments the persistence and professionalism of Ramsen. 
He has indeed been a junkyard dog on many of those issues in 
making sure that the committee is getting all the information that 
it should have. So I couldn’t go by without making that comment. 

As I said, generally speaking, this bill hits our principles. One — 
two issues that we are concerned about are the — what we consider 
excessive penalties in the enforcement provision, the fact that in — 
actually three — the fact that this does not cover government Web 
sites which — and also nonprofits. I remind you that AeA is a non- 
profit organization and we do use information at times. And we do 
have, as I mention in my comments and I am sure you will hear 
from the other panelists, concerns about the Safe Harbor and the 
EU privacy directive. 

But we applaud you for this bill. It is a very strong bill, and we 
look forward to working with you in the next Congress to make it 
even stronger. 

[The prepared statement of John Palafoutas follows:] 

Prepared Statement of John Palafoutas, Senior Vice President, Domestic 
Policy & Congressional Affairs, AeA 

INTRODUCTION 

Mr. Chairman, Members of the Committee, I thank you for the invitation to ap- 
pear today to discuss the need for stronger federal protections for consumer privacy, 
and comment specifically on H.R. 4678, the “Consumer Privacy Protection Act of 
2002 .” 

My name is John Palafoutas, and as AeA’s Senior Vice President of Domestic Pol- 
icy and Congressional Affairs, I have responsibility for policy implementation of 
AeA’s Internet privacy initiative, as directed by our Board of Directors. 

By way of background, AeA is the nation’s largest high-tech trade association. 
AeA represents more than 3,000 companies with 1.8 million employees. These 3000+ 
companies span the high-technology spectrum, from software, semiconductors, med- 
ical devices and computers to Internet technology, advanced electronics and tele- 
communications systems and services. With 17 regional U.S. councils and offices in 
Brussels and Beijing, AeA offers a unique global policy grassroots capability and a 
wide portfolio of valuable business services and products for the high-tech industry. 
AeA has been the accepted voice of the U.S. technology community since 1943. If 
you’d like more information about us and our mission, you can visit our website at 
www.aeanet.org. 

Mr. Chairman and Mr. Towns, I especially want to thank you both for your lead- 
ership on the issue of Internet privacy. By seeking out information from all cor- 
ners — consumer groups, privacy advocates, and the high tech industry — you have 
shown your commitment to creating bipartisan legislation that is well rounded and 
responsive to the concerns of all. I also wish to commend your committee’s Majority 
Counsel, Ramsen Betfarhad. In his persistence and professionalism, he has served 
this Committee well. 

Privacy is an especially important topic for our member companies, as you may 
recall Mr. Chairman when you spoke at our Board of Directors meeting in May of 
this year. Every one of our member companies’ businesses revolves around the 
Internet in one way or another. Protecting online consumers is of paramount impor- 
tance to our companies. It is for this reason that AeA has been championing the 
cause of strong, non-discriminatory pre-emptive federal privacy legislation for al- 
most two years now — something that no other trade association can lay claim to. 

As use of the Internet continues to grow, online vendors are gathering more infor- 
mation about the purchasing habits of their customers. The increase in the collec- 
tion and use of this data has raised public concern over precisely what information 
is being collected about consumers, how that information is being used, and whether 
it is being transferred to third parties. As a result, addressing concerns related to 
the collection and use of consumer information is becoming of increasing importance 
to legislators at the state and federal levels. 

E-commerce continues to be one of the driving forces behind the growth of the 
U.S. and world economy. Online companies collect a tremendous amount of informa- 



10 


tion about customers in order to provide discounted goods and services, efficiently 
target niche markets, and notify customers of new products and services. Further- 
more, these personal information databases are a valuable business asset for online 
companies. These companies use the databases not only to promote their own prod- 
ucts, but oftentimes transfer this information to third party marketers. This allows 
companies to obtain and attract additional revenue and funding for their operations. 
However, surveys show that consumers are concerned over how their information 
is collected, used, and distributed. 

Policy makers face a dilemma in addressing two very legitimate needs. On one 
side of the balance is the very real need for consumer privacy, and on the other, 
the constructive actions business has undertaken in numerous self-regulatory solu- 
tions. The role of government is to be the balance point in the middle — assuring that 
effective and enforceable solutions are implemented fairly, without jeopardizing the 
beneficial uses of this information by online companies. Caution must also be taken 
to assure against the adoption of burdensome regulations that could impede the con- 
tinued growth of online commerce or patchwork state level solutions that are nei- 
ther consonant nor enforceable across a borderless medium. 

The imposition of stringent privacy regulations on the Internet could severely 
slow down the projected e-commerce growth. The Department of Commerce predicts 
e-commerce to pass $300 billion by the end of this year while some in private indus- 
try are predicting numbers much higher. It is for this reason that we have put con- 
siderable thought and effort into our privacy principles. 

aea’s privacy principles 

We first released our Privacy Principles in January of 2001 in order to guide fed- 
eral policy makers in considering balanced, pre-emptive privacy legislation that is 
sensitive to the needs of consumers and to the Internet’s economic and technical re- 
alities. These principles have been crafted from input and advice garnered from 
AeA’s member companies, our Grassroots Network, and responses from town hall 
meetings across the country. Overwhelmingly, the responses all identified the grim 
possibility of multiple and conflicting state privacy regulations as their top legisla- 
tive concern. 

Federal preemption legislation plays a crucial role in ensuring consistency and 
certainty into the marketplace. The passage of Internet privacy legislation this past 
year in California and Minnesota highlights the growing need for preemption legis- 
lation. The inherent danger is both imminent and profound. Other states are now 
looking to make a template of these new laws — laws that are provincial in nature 
and unconcerned with their deleterious impact on interstate commerce. 

Further, only the federal government is in a position to create uniform U.S. pri- 
vacy standards that not only protect American consumers, but that will harmonize 
with international privacy directives. Federal legislation should not, however, at- 
tempt to replace or impede constructive private sector efforts, but rather build upon 
the baseline that they have laid down. 

What good federal preemption language will do is protect consumers without im- 
posing burdensome, impractical new requirements. Poorly crafted legislation will 
translate into higher consumer costs, fewer online services, and less free content — 
thus hurting the same consumers such legislation intends to benefit. 

Mr. Chairman, because this legislation largely comports with AeA’s Privacy Prin- 
ciples, AeA believes that H.R. 4678 is generally good legislation, and with some 
technical adjustments, it is something I believe AeA member companies may sup- 
port. 

Legislation Should Ensure National Standards. H.R. 4678 Does This. The 

Internet is a new and powerful tool of interstate commerce. Public policies related 
to Internet privacy should be national in scope, thus avoiding a patchwork of state 
and local mandates. This uniform framework will promote the growth of interstate 
e-commerce, minimize compliance burdens, sustain a national marketplace and 
make it easier for consumers to protect their privacy. 

H.R. 4678 successfully preempts state and local statutory law, common law, and 
rules and regulations dealing with the use of personally identifiable information 
(PII) in interstate commerce. 

Legislation Should Not Discriminate Against the Internet. H.R. 4678 
Doesn’t. Consumers should have confidence that their privacy will be respected re- 
gardless of the medium used. Similar privacy principles should apply online and off- 
line. Public policy should not discriminate against electronic commerce by placing 
unique regulatory burdens on Internet-based activities. 

H.R. 4678 makes no distinction between the online and offline worlds. 



11 


Legislation Should Provide Individuals with Notice. H.R. 4678 Does This. 

Web sites that collect personally identifiable information should provide individuals 
with clear and conspicuous notice of their information practices at the time of infor- 
mation collection. Individuals should be notified as to what type of information is 
collected about them, how the information will be used, and whether the informa- 
tion will be transferred to unrelated third parties. 

Because H.R. 4678 requires data collectors who sell customer PII to post notice 
at the time of data collection, consumers will know that the collector’s practices may 
raise an issue of consumer privacy, and allows them to find out exactly what those 
practices are. Further, H.R. 4678 sets out the requirements for what the notice must 
contain, as well as allowing the FTC to issue guidelines and advisory opinions. 

Legislation Should Ensures Consumer Choice. H.R. 4678 Does This. Con- 
sumers should have the opportunity to opt out of the use or disclosure of their per- 
sonally identifiable information for purposes that are unrelated to the purpose for 
which it was originally collected. Consumers should be allowed to receive benefits 
and services from vendors in exchange for the use of information. It is important 
that the consumer understands this use and is able to make an informed choice to 
provide information in return for the benefit received. 

H.R. 4678 mandates that all data collectors shall allow consumers to opt-out of 
the sale of their PII to non-affiliated third parties, and the withholding of consent 
will last five years. 

Legislation Should Leverage Market Solutions. H.R. 4678 Does This. Pri- 
vate sector privacy codes and seal programs are an effective means of protecting in- 
dividuals’ privacy. Lawmakers should recognize and build upon the self-regulatory 
mechanisms the private sector has put in place and continues to build. These mech- 
anisms are backed by the enforcement authority of the Federal Trade Commission 
and state attorneys general. Public policies also should allow organizations to imple- 
ment fair information practices flexibly across different mediums and encourage in- 
novation and privacy enhancing technologies. 

H.R. 4678 rewards participation in recognized seal programs by placing the bur- 
den of proving non-compliance on the FTC, as well as allowing for the use of binding 
private arbitration. 

Legislation Should Utilize Existing Enforcement Authority. H.R. 4678 
Does This. With the imposition of notice requirements, the Federal Trade Commis- 
sion should use its existing authority to enforce the mandates of federal legislation. 
Legislation should not create any new private rights of action. 

H.R. 4678 provides that any violation will be an unfair or deceptive act under § 5 
of the Federal Trade Commission Act, thus not adding new sanctions into the al- 
ready expanding pantheon of penalties. However, H.R. 4678 imposes strict monetary 
penalties that we believe are excessive, especially the doubling of civil penalties. 

Legislation Should Avoid Conflicting or Duplicative Standards. H.R. 4678 
Does This. In cases where more than one government agency seeks to regulate the 
privacy practices of a particular organization or industry, those agencies should offer 
a single coordinated set of standards. 

H.R. 4678 ensures that organizations complying with other federal privacy laws 
dealing with the protection of a consumer’s PII are deemed to be in compliance with 
this act. 


AEA DOES HAVE SOME CONCERNS WITH H.R. 4678: 

H.R. 4678 Does Not YET Protects Consumers in the Public and Private 
Arena. Government and non-profit organizations collect a tremendous amount of 
personally identifiable information about citizens. The need to foster consumer con- 
fidence applies to private and public sector activities. Government agencies and non- 
profit organizations that collect personally identifiable information should be re- 
quired to follow fair information practices imposed on the private sector by law or 
regulation. It is well known that consumer information gleaned from government 
websites is often traded to third-parties without notice or consent. We believe this 
to be an unacceptable practice. H.R. 4678 should hold all government websites — fed- 
eral, state, and local — to the same high standards imposed upon private industry. 

H.R. 4678 May Have a Negative Impact on the EU Data Protection Safe 
Harbor. Back in 2000, a safe harbor was negotiated that would provide U.S. compa- 
nies with protection from the EU Data Protection if they agreed to abide by the pri- 
vacy principles included in the Safe Harbor. The EU only agreed to the U.S.’s self- 
regulatory approach if the FTC provided the enforcement mechanism for those com- 
panies that signed up for the safe harbor. As it stands today, 242 American corpora- 
tions have signed up for the Safe Harbor, and many of those companies are AeA 
Members. Further investigation needs to be undertaken to determine if H.R. 4678 



12 


will harmonize with the EU Data Directive, and if it doesn’t then if it will not jeop- 
ardize the negotiated Safe Harbor now in place. It is one thing to say that we are 
in compliance with the European Data Directive, and it is quite another to convince 
the Europeans of that fact. 

We believe that while these concerns are not fatal to the bill at hand, they do 
present very important questions that do need to be addressed before our unquali- 
fied support can be given to H.R. 4678. My staff and I will be happy to work with 
you and the Subcommittee in taking up these issues. 

Mr. Chairman, thank you for the opportunity to testify on H.R. 4678. AeA looks 
forward to working with the Committee in developing — and passing — practicable 
consumer privacy protection, if not in this Congress then in the next. I would be 
pleased to answer any questions that you may have. 

Mr. Stearns. I thank you. 

Mr. Servidea. 

STATEMENT OF PHILIP D. SERVIDEA 

Mr. Servidea. Mr. Chairman, Representative Harman, members 
of the subcommittee, I am Phil Servidea, Vice President of Govern- 
ment Affairs for NCR Corporation. Thank you for the invitation to 
testify before your subcommittee today. 

NCR’s heritage for providing solutions for retail and financial in- 
dustries goes back almost 120 years to its founding as the National 
Cash Register Company. Today, NCR is one of the world’s largest 
suppliers of solutions that enable transactions between consumers 
and businesses, be it in stores, through self-service terminals or 
over the Internet. 

Mr. Chairman, NCR’s corporate slogan, “Transforming Trans- 
actions Into Relationships,” speaks to the importance we place on 
consumer protection in our solutions. So the subject of today’s hear- 
ing is important to NCR as it is to all of us, since we are all con- 
sumers. 

I am also the working chair of the Privacy Task Force of the 
Computer Systems Policy Project, or CSPP. CSPP is the Nation’s 
leading advocacy organization, comprised exclusively of CEOs of 
the information technology industry. We have worked closely with 
the chairman and the committee staff in the formation of H.R. 
4678. 

We commend the chairman on the deliberative process used to 
craft the legislation. Businesses collecting information about their 
customers is not new. Your grandmother’s butcher probably knew 
not only her name and her favorite cuts of meat, but also how the 
children were doing in school. We used to call it friendly, personal 
service at a time when businessmen and their customers were also 
neighbors. 

Today, technology makes it possible for companies thousands of 
miles away to also serve their customers better. The growth of data 
collecting is fueling the global debate over privacy, creating a ten- 
sion between consumers sharing personal information and busi- 
nesses’ attempts to serve them more effectively and personally. 

The benefits to consumers of personalized service and the protec- 
tion of their personal data are not incompatible. Consumers should 
and must have control over the use of their personal data. The pro- 
tection and appropriate use of personal information is a growing 
concern for consumers and businesses alike. To ensure continued 
success and growth, it is important for companies to address pri- 
vacy as an important consumer expectation. 



13 


One fundamental necessity of commerce, both traditional as well 
as e-commerce, is trust. Without trust, businesses cannot survive. 
Businesses that do not heed the expectations of their customers 
will quickly lose trust, and ultimately their viability. Quite simply, 
the business of privacy is good business. 

Consumers in control of their data may freely choose the release 
of their personal information in return for better choices or serv- 
ices. I suspect that each of us as airline passengers would not mind 
being offered an upgrade at the gate because the airline agent 
knows that we experienced a flight cancellation days earlier. 

Most companies are doing the right thing in providing privacy 
options. But as long as there is potential short-term gain in abus- 
ing personal information, can we count exclusively on company vol- 
unteerism to prevent abuse. While many company executives shud- 
der at the thought of more regulation, their companies and their 
customers alike will be better served if industry and government 
work together toward rational and uniform rulings that are fair to 
all. 

NCR believes that the right legislation built on top of market- 
driven solutions can assure that all consumers are afforded this 
protection. 

Presently Federal privacy laws exist which govern specific indus- 
try sectors, protect sensitive information and target specific harm- 
ful or fraudulent behaviors. But in the U.S. there is no single, 
broad-based law that affects the use of personal data, which is why 
we are here today. 

But what type of legislation can work? The CSPP has advanced 
a set of four principles for such legislation. I would like to comment 
on two of those. First, legislation must be comprehensive and apply 
with appropriate flexibility to personal data, whether collected on- 
line, over the telephone or in face-to-face commercial transactions. 
To enact legislation that applies only to on-line activities would 
mislead the American consumer. 

As a supplier of business intelligence solutions, NCR knows, as 
the chairman said, that click-and-mortar firms do not distinguish 
between personal data obtained through different channels. Fur- 
ther, on-line transactions account for only a small fraction of con- 
sumer transactions, last year less than 1 percent. Also, as tech- 
nologies merge, such as the Internet and wireless technologies, the 
distinction between online and offline is blurring. 

Simply put, when it comes to customer’s rights, data is data. 

Second, the legislation must recognize that markets, particularly 
on the Internet, are national in scope. One only need recall the 
endless mailings from banks implementing Gramm-Leach-Bliley to 
imagine the morass of legal uncertainty that would ensue if both 
State and Federal legislation purported to govern consumers’ rights 
for personal data protection. Federal legislation in this area should 
preempt State and local law. 

Mr. Chairman, and Ranking Member Towns, while I have com- 
mented on only two principles, I am proud to say that your bill, 
overall, effectively balances consumer and business interests. H.R. 
4678 requires clear and conspicuous disclosure of businesses’ pri- 
vacy practices and enables individuals to make informed choices 
about sharing their personal information. 



14 


During NCR’s long history, a lot of things have changed, but its 
philosophy has not. If you want your customers’ trust, you have to 
respect your customers’ privacy. In summary, NCR is pro-privacy. 
H.R. 4678 is a step in the right direction, and we look forward to 
working with the subcommittee toward the bill’s enactment. 

Thank you, Mr. Chairman, for holding this hearing today. Thank 
you for your hard work on drafting H.R. 4678. 

[The prepared statement of Philip D. Servidea follows:] 

Prepared Statement of Philip D. Servidea, Vice President of Government Af- 
fairs, NCR Corporation; Chair, Networked World Committee, Computer 

Systems Policy Project 

Mister Chairman, Representative Towns, and members of the Subcommittee, I am 
Phil Servidea, Vice President of Government Affairs for NCR Corporation. Thank 
you for the invitation to testify before your Subcommittee today. 

NCR’s heritage in providing solutions for retail and financial industries goes back 
almost 120 years to its founding as the National Cash Register Company. Today, 
NCR is one of the world’s largest suppliers of solutions that enable transactions be- 
tween consumers and businesses, whether in stores, through self-service terminals, 
or over the Internet. 

Mister Chairman, NCR’s corporate slogan, “Transforming Transactions Into Rela- 
tionships”, speaks to the importance we place on consumer protections in our solu- 
tions. So, the subject of today’s hearing is important to NCR, as it is to all of us 
since we are all consumers. 

I am also the Working Chair of the privacy task force of the Computer Systems 
Policy Project, or CSPP. CSPP is the nation’s leading advocacy organization com- 
prised exclusively of CEOs of the information technology industry. We have worked 
closely with the Chairman and Committee staff in the formation of HR 4678. We 
commend the Chairman on the deliberative process used to craft this legislation. 

Businesses collecting information about their customers is not new. Your grand- 
mother’s butcher probably knew not only her name and her favorite cuts of meat, 
but how the children were doing in school, as well. We used to call it “friendly, per- 
sonal service” at a time when businessmen and their customers were also neighbors. 

Today, technology makes it possible for companies thousands of miles away to 
also serve their customers better. The growth in data collecting is fueling the global 
debate over privacy; creating a tension between consumers’ sharing personal infor- 
mation and business’ attempt to serve them more effectively and personally. 

The benefits to consumers of personalized service and the protection of their per- 
sonal data are not incompatible; consumers should and must have control over the 
use of their personal data. 

The protection and appropriate use of personal information, is a growing concern 
for consumers and businesses alike. To ensure continued success and growth, it’s 
important for companies to address privacy as an important consumer expectation. 
One fundamental necessity of commerce, both traditional as well as e-commerce, is 
trust. Without trust, businesses cannot survive. Businesses that do not heed the ex- 
pectations of their customers will quickly lose trust, and ultimately their viability. 
Quite simply, the business of privacy is “good business”. 

Consumers in control of their data may freely choose the release of their personal 
information in return for better choices or services. I suspect that you as an airline 
passenger would not mind being offered an upgrade at the gate because the airline 
agent knows you experienced a flight cancellation days earlier. 

Most companies are doing the right thing in providing privacy options. But as 
long as there is potential short-term gain in abusing personal information, can we 
count exclusively on company voluntarism to prevent abuse? While many company 
executives shudder at the thought of more regulation, their companies and their 
customers alike will be better served if industry and government work together to- 
ward rational and uniform rules that are fair to all. NCR believes that the right 
legislation built on top of market-driven solutions can assure that all consumers are 
afforded this protection. 

Presently, federal privacy laws exist which govern specific industry sectors, pro- 
tect sensitive information, and target specific harmful or fraudulent behaviors. But 
in the U.S. there is currently no single, broad-based law that affects the use of per- 
sonal data, which is why we are here today. 

But what type of legislation can work? CSPP advanced a set of core principles for 
such legislation. I would like to comment on two of those principles. 



15 


First, legislation must be comprehensive and apply, with appropriate flexibility, 
to personal data, whether collected online, over the telephone or in face-to-face com- 
mercial transactions. To enact legislation that applies only to online activities would 
mislead the American consumer. As a supplier of business intelligence solutions, 
NCR knows that click-and-mortar firms do not distinguish between personal data 
obtained through different channels. Further, online transactions account for only 
a small fraction of consumer transactions, last year less than one percent. Also, as 
technologies merge, such as the Internet and wireless technologies, the distinction 
between online and offline is blurring. 

Simply put, when it comes to consumers’ rights, data is data. 

Secondly, legislation must recognize that markets, particularly on the Internet, 
are national in scope. One only need recall the endless mailings from banks imple- 
menting Gramm-Leach-Bliley to imagine the morass and legal uncertainty that 
would ensue if both State and federal legislation purported to govern consumers’ 
right for personal data protection. Federal legislation in this area should preempt 
State and local law. 

Mister Chairman and Ranking Member Towns, while I have commented on only 
two principles, I am proud to say that your bill overall effectively balances consumer 
and business interests. HR 4678 requires clear and conspicuous disclosure of busi- 
ness’ privacy practices and enables individuals to make informed choices about shar- 
ing their personal information. 

During NCR’s long history, a lot of things have changed, but its philosophy has 
not — if you want your customers’ trust, you have to respect your customers’ privacy. 
In summary, NCR is pro-privacy. HR 4678 is a step in the right direction and we 
look forward to working with the Subcommittee toward the bill’s enactment. 

Thank you, Mister Chairman, for holding this hearing today and thank you for 
your hard work on drafting HR 4678. 

Mr. Stearns. And I thank you for your compliments. 

Mr. Schall. 


STATEMENT OF JOHN A. SCHALL 

Mr. Schall. Mr. Chairman, thank you for the opportunity to dis- 
cuss the Consumer Privacy Protection Act. I am John Schall, the 
Executive Director of the National Business Coalition on E-Com- 
merce and Privacy. We are 15 widely recognized companies dedi- 
cated to the pursuit of a balanced and uniform national privacy 
policy. 

We are engaged in virtually every sector in the economy and in 
every geographic location in the country, with over 40 million cus- 
tomers. We are both online and offline, and we are both financial 
and nonfinancial companies, companies like General Motors, John 
Deere, Home Depot, General Electric, Charles Schwab. 

We believe that H.R. 4678 moves the privacy debate in a positive 
direction; and we would like to thank you, Mr. Chairman, for the 
enormous amount of work that you and your staff have put into 
crafting this legislation. 

The straightforward step of letting consumers know how infor- 
mation is going to be used is the single most important thing we 
can do in the area of privacy. A well-informed customer is the heart 
of the matter because knowledge empowers the consumer. 

I will focus my remarks today on three areas. One, creation of 
a uniform national privacy standard; two, the equal treatment of 
on-line and off-line information; and three, private rights of action. 

A patchwork of State laws would pose a significant disincentive 
for companies that would be forced to navigate a sea of conflicting 
local laws. Mr. Chairman, over 548 bills were introduced in the 50 
State legislatures this year dealing with privacy; that is 548 dif- 
ferent approaches to what 50 different State jurisdictions ought to 
do with the single issue we are discussing here today. And if that 



16 


weren’t enough, numerous local jurisdictions are now also jumping 
in to tackle the privacy question. 

In Ms. Harman’s home State of California, for example, San 
Mateo County and Daly City have both just passed their own pri- 
vacy laws. And six more counties and cities in just the San Fran- 
cisco area are expected to do so in the coming months, coming 
weeks. And surely there will be more after that. 

Remember, there are almost 100,000 local government jurisdic- 
tions in the United States. I am not sure I even want to con- 
template how a company could comply in 50 different States and 
100,000 different localities. 

I would also add that those who argue that they seek a Federal 
privacy law to create, quote, “a floor but not a ceiling” are begging 
the question of fundamental fairness. A world of floors and ceilings 
will result in conflicting standards that benefit some consumers 
and punish others merely because of geographic location. We wish 
to strongly impress upon the Congress, then, the urgent need to 
pass legislation that preempts both State and local laws and pro- 
vides a uniform privacy standard across the Nation. 

Second, all our companies operate both online and offline, and we 
are pleased that this bill treats both types of information in the 
same way. Making a distinction between online and offline would 
present real difficulty. As a general rule, all information collected 
by companies, either online or offline, is stored in the same system. 
No distinction is made based on where the information is collected. 

And such a distinction becomes an exercise in hair-splitting. If 
information is collected in person and then stored online, is that 
online or offline? What if the information is transmitted from a 
telephone to a computer? I mean, these are the sorts of Solomonic 
judgments that could keep the courts busy for years. 

Third, we are pleased that H.R. 4678 does not permit private 
rights of action at a time when everyone agrees that our society is 
already far too litigious. The Federal Trade Commission has recog- 
nized that existing enforcement authority deals with most viola- 
tions of privacy law. 

Opening the door to private rights of action would result in un- 
necessary lawsuits and a clogged legal system. Instead, H.R. 4678 
more appropriately creates a Self-Regulatory Organization process 
with binding arbitration. 

I would also point out that under this bill the States would still 
have private rights of action and the litigation authority vested in 
them through the many FTC acts. 

Mr. Chairman, H.R. 4678 is the most promising alternative cur- 
rently pending in the Congress. We would like to suggest, however, 
some potential sand traps to avoid and a few drafting improve- 
ments in the bill. For example, the opt-out provisions of the bill 
should apply to the use of information and not to the collection of 
information. Likewise, our companies who all deal in both on-line 
and off-line transactions and both the business-to-business and the 
business-to-consumer environments would like it to be more ex- 
plicit that this bill applies to business-to-consumer relationships 
only. We believe it would also be helpful to prohibit class action 
lawsuits. 



17 


Finally, unnecessary access provisions are best avoided because 
they could, ironically, create perverse incentives for companies to 
centrally maintain exactly the sort of customer profiles that we all 
seek to avoid. 

So, Mr. Chairman, on behalf of the National Business Coalition 
on E-Commerce and Privacy, I would like to congratulate you on 
striking a sensible balance between the privacy of the consumer 
and the needs of the business community. And thank you. 

[The prepared statement of John A. Schall follows:] 

Prepared Statement of John A. Schall, Executive Director, National 
Business Coalition on E-Commerce and Privacy 

Mr. Chairman and Members of the Subcommittee, on behalf of the members of 
the National Business Coalition on E-Commerce and Privacy, I want to thank you 
for permitting me the opportunity to discuss our views on HR 4678, the Consumer 
Privacy Protection Act of 2002. We believe that this is an important piece of legisla- 
tion with profound consequences not only for e-commerce specifically, but for the 
economy as a whole. 

The National Business Coalition on E-Commerce and Privacy, of which I am the 
Executive Director, is comprised of 15 widely recognized companies dedicated to the 
pursuit of a balanced and uniform national policy pertaining to electronic commerce 
and privacy. We are engaged in virtually every sector of the economy and in every 
geographic location in the country, with over 40 million customers. We deliberately 
created a diverse coalition because the privacy issue is not just restricted to the fi- 
nancial services industry or the health care community, but touches on every sector 
of our economy. 

We believe that we are the only coalition whose membership includes financial 
and non-financial companies. Our wide range of companies are in manufacturing, 
like General Motors and John Deere Corporation; retail, like Home Depot; hospi- 
tality, like Six Continents Hotels; media, like General Electric; as well as some in- 
surance and financial services companies such as Charles Schwab. These and our 
other members are all top competitors in the e-commerce marketplace, who use the 
Internet as an essential component of their ability to deliver goods and services to 
their customers. 

Our members have spent decades developing respected brand names and culti- 
vating mutual trust with their customers, and I can assure every member of this 
Subcommittee that we are strongly committed to ensuring the privacy of our cus- 
tomers both on-line and off-line. 

It is for that reason that we are very encouraged by the provisions of HR 4678. 
We believe this bill moves the privacy debate in a positive and useful direction, and 
the Coalition would especially like to thank you, Mr. Chairman, for the enormous 
amount of work that you and your staff have put into analyzing the complexities 
of the privacy issue and in crafting this legislation. 

The Coalition is pleased that HR 4678 lays out a clear-cut and balanced privacy 
policy for the nation. By requiring the prominent posting of, and by requiring adher- 
ence to, a company’s privacy policies, it is our view that HR 4678, more than any 
other piece of legislation currently before the Congress, assures that consumers 
have the information that they need in order to make informed choices about the 
use of personal information that pertains to them. A well-informed consumer is the 
heart of the matter because in a free market economy, knowledge empowers the cus- 
tomer. And we believe that the simple and straightforward step of letting consumers 
know how information is going to be used is the single most important and useful 
thing that we can do in the area of privacy. 

I will focus my remarks today on three areas that our Coalition deems especially 
important: 1) the creation of uniform national privacy standards; 2) the equal treat- 
ment of off-line and on-line information; and 3) private rights of action. We are 
pleased to see that HR 4678 deals with each of these vital issues in a balanced and 
sensible way. 

By creating uniformity of state and local privacy laws, we believe HR 4678 dem- 
onstrates an appropriate appreciation of the nature of e-commerce and the modern 
economy. An economy in which orders for new products and services can be made 
at the touch of a button. An economy that allows a customer in Oregon to purchase 
a product in Florida in a matter of mere seconds. An economy that is, in a very 
real way, an economy without borders. 



18 


A patchwork of state and local laws would pose an enormous burden to, and frag- 
mentation of, our economy. This would be a significant disincentive for companies 
to participate in the e-commerce marketplace, especially smaller companies, since 
they would be forced to navigate a sea of sometimes conflicting state and local pri- 
vacy laws. Furthermore, the costs of complying with such conflicting laws would, 
more likely than not, be passed on to the consumer. 

Mr. Chairman, in the 50 states this year, over 548 privacy bills were introduced 
in the state legislatures. That’s 548 different approaches to what 50 different state 
jurisdictions ought to do about the single issue we’re discussing here today. 

And if that weren’t enough, numerous local jurisdictions are now also jumping in 
and beginning to tackle the question of privacy. For example, in the State of Cali- 
fornia, San Mateo County and Daly City have both just passed their own privacy 
laws, with San Francisco, Berkeley, Marin County, Contra Costa County, and Ala- 
meda County all expected to do so in the coming weeks. And that’s within just the 
San Francisco Bay Area. Surely there will be more after that. Remember, there are 
almost 100,000 local government jurisdictions in the United States. I’m not sure I 
want to even contemplate how a company could comply with 50 states multiplied 
by 100,000 localities multiplied by a minimum of 548 different privacy policies. 

Obviously, this is a recipe for a disjointed and inefficient marketplace. We, there- 
fore, wish to strongly impress upon the Congress the urgent need to pass legislation 
with strong Federal preemption of both state and local laws. We believe that only 
by effectively providing a uniform privacy standard across the nation, will the Con- 
gress be able to avoid the problems that would accompany a multitude of legal re- 
quirements, with all of the ultimately unworkable administrative requirements that 
would imply. 

I would also add, Mr. Chairman, that those who argue that they seek a Federal 
privacy law to create “a floor but not a ceiling,” are begging a fundamental question 
of fairness. If privacy is to mean anything it is as a guarantee of certainty that con- 
sumers may know the rules of the road wherever they go in our economy. Far from 
being a protection of privacy, the “floor and not a ceiling” argument will result in 
confusion and conflicting standards that will benefit some consumers and punish 
others almost at random because of the mere accident of geographical location. In 
the world of floors and ceilings, where you live will be more important to your pri- 
vacy than who you are. 

Secondly, the Coalition is greatly pleased to see that HR 4678 treats information 
gathered on-line and off-line in the same way. Every one of our member companies 
operates both on-line and off-line, as does, I assume, almost every major American 
company, as well as a number of smaller ones. While we appreciate that those Mem- 
bers of Congress who seek to make a distinction between on-line and off-line infor- 
mation believed that they are assisting certain portions of the business community, 
the truth is that doing so, in fact, would be enormously burdensome and presents 
some very real difficulties. 

To begin with, as a general rule, all information collected by companies either on- 
line or off-line is stored in the same system. Often no distinction is made based on 
where the information is collected. To create such a distinction in law would be to 
invite enormous record keeping and financial burdens for private industry, to no 
practical real world benefit for the consumer. 

Furthermore, to create such a distinction becomes an exercise in the most pro- 
found hair splitting. Is information collected in person and then stored online con- 
sidered online or offline? What if the information is collected over the telephone, or 
through a computer? Or transmitted from a telephone to a computer? These are the 
kinds of Solomonic judgments that will keep the courts busy for years if a distinc- 
tion is made between on-line and off-line information. 

By treating similar information gathered on-line and off-line in the same way, HR 
4678 sensibly balances the needs of industry with the privacy of the consumer, and 
assures the protection of both with a minimum of ambiguity. 

Thirdly, we are greatly pleased that HR 4678 does not permit private rights of 
action at a time when everyone agrees that our society is already far too litigious. 
The Coalition is well aware that this matter of private rights of action will be highly 
controversial and is an outgrowth of broader legal reform issues facing the Con- 
gress. But the likely result of a private right of action would be to dissuade compa- 
nies from relying on e-commerce, or more likely, it would cause them to hedge their 
bets against frivolous lawsuits by adding costly procedures and protections. Such 
procedures and protections would not measurably aid consumers, but their costs 
would be passed on in the form of higher prices and reduced service. 

In the context of privacy, there is concrete evidence to show that existing law has 
more than sufficed to protect consumer interests. The Federal Trade Commission 
has recognized that existing enforcement authority deals with most violations of pri- 



19 


vacy law and opening the door to private rights of action would simply create an 
environment conducive to even more unnecessary lawsuits in an already clogged 
and expensive legal system. I would also point out that under this bill, the states 
would still have existing private rights of action and the litigation authority already 
vested in them through the mini-FTC Acts. 

Instead of creating a new private right of action, HR 4678 more appropriately cre- 
ates a Self Regulatory Organization (SRO) process in which arbitration may be 
binding. This possibility of binding arbitration is critical — otherwise the SRO proc- 
ess would represent little more than yet another expensive layer of compliance. 

Mr. Chairman and Members of this Subcommittee, HR 4678 is a reasoned and 
measured step forward in the privacy debate, and the most promising alternative 
currently pending in the Congress. We would like to suggest, however, some poten- 
tial sandtraps to avoid and some drafting improvements to HR 4678, where possible. 

For example, we would highlight the need to apply the opt-out provisions of the 
bill to the use of information, rather than to the collection of information, as the 
bill currently requires. Likewise, our Coalition companies, who all deal in both the 
business-to-husiness and the business-to-consumer environments, would like it to be 
made more explicit that HR 4678 applies to business-to-consumer relationships and 
not to business-to-business transactions. With regard to remedies and enforcement, 
we believe that it would be helpful to explicitly prohibit class action lawsuits. Fi- 
nally, unnecessary access provisions are best avoided because they could ironically 
create perverse incentives for companies to centrally maintain exactly the sort of 
customer profiles that we all seek to avoid. 

Mr. Chairman and Members of this Subcommittee, once again, on behalf of the 
National Business Coalition on E-Commerce and Privacy, I would like to congratu- 
late you on your leadership in successfully moving the privacy debate forward and 
in drafting HR 4678. We believe that with this legislation, you have taken a sin- 
gularly positive step, and that you have struck a prudent and sensible balance be- 
tween tbe privacy of the consumer and the needs of the business community. We 
hope to be able to continue to work with you as the privacy debate develops, and 
I would now be happy to answer any questions that you may have. 

Attachment 

NATIONAL BUSINESS COALITION ON E-COMMERCE AND PRIVACY 

Member Companies: American Century Investments; AMVESCAP; CheckFree; 
CIGNA; Deere & Company; Dupont; Fidelity Investments; Fortis, Inc.; General Elec- 
tric; General Motors; The Home Depot; Investment Company Institute; MBNA 
America; Charles Schwab & Company; and Six Continents Hotels 

Mr. Stearns. Yes, thank you, John. 

Ms. Whitener. Welcome. 

STATEMENT OF REBECCA WHITENER 

Ms. Whitener. Thank you, Mr. Chairman. It is a pleasure to be 
here today to discuss H.R. 4678, the Consumer Privacy Protection 
Act of 20020. 

As Director of Privacy Services for EDS, I am responsible for the 
global strategy, the service line offering development and the meth- 
odology for EDS clients’ focused privacy services. 

Mr. Chairman, H.R. 4678 is a culmination of many hearings and 
discussions with people of different points of view. You have pro- 
ceeded carefully and are to be commended for that approach. Your 
bill understands that the protection of privacy and data and the 
ability to share information are good for business and consumers 
alike. 

EDS’s Chairman and CEO, Dick Brown, is chairman of the Dig- 
ital Economy Task Force of the Business Roundtable. That task 
force has made several recommendations on how we should proceed 
in ensuring that any legislative remedies do not impede electronic 
commerce. 



20 


First, do not hinder self-regulation efforts of industry to give con- 
sumers informed choice. By and large, industry has done a good 
job. If a company decides to share information in a perceived detri- 
mental way, the market is pretty quick to act. 

Second, ensure consistency and certainty in the marketplace 
through a national standard in rules. Without strong Federal pre- 
emption, there will be confusion among consumers, and business 
will reconsider engaging in electronic transactions. 

Next, have one Federal agency responsible for regulating con- 
sumer privacy. Again, it is unrealistic to expect business and con- 
sumers to coordinate with multiple entities. 

Four, treat e-commerce as any other form of commerce. The 
Internet is becoming so ingrained in business processes that e-com- 
merce should not be singled out for any special regulatory treat- 
ment. 

Fifth, keep a level, consistent playing ground between govern- 
ment and business. Do not prohibit the selling of information by 
ABC Book Company while allowing the Department of Motor Vehi- 
cles to sell driver’s license information. 

Finally, there should not be any new private right of action. It 
is just not necessary. The market and existing laws and regulations 
will do the job. 

Mr. Chairman, H.R. 4678 goes a long way to meeting those re- 
quirements, and it encompasses much of what EDS has included 
in its global privacy and data protection policies. We are especially 
pleased to see that you have addressed security concerns in your 
legislation. Cyber security continues to be a growing problem and 
there are significant indications that more should be done to pro- 
tect data and networks. 

The numbers are staggering. In 2000 computer, viruses world- 
wide cost $17.1 billion in damages. EDS alone encounters more 
than 650 attempted break-ins and three new viruses every day on 
servers that it runs for 2,500 clients. A major virus like “Code Red” 
or “ILOVEYOU” costs billions to eliminate, the release last week 
of the President’s National Strategy to Secure Cyberspace is a step 
in the right direction. It highlights many of the areas that must be 
addressed so that consumers can be confident that their trans- 
actions and information shared with government and businesses 
are secure. 

Now onto some specific comments about section 105: In para- 
graph a(2) we agree with your requirement that senior manage- 
ment consider and improve an information security policy. Security 
awareness needs to be raised in the consciousness of senior man- 
agement, and this will go a long way to that end. 

Paragraph a(3)(B) makes a great deal of sense. Most organiza- 
tions have someone responsible for IT security, but in many cases 
they aren’t designated or there are unclear lines of responsibility. 

Paragraph b(l), there are a number of sources that can be used 
for timely notification. We believe in flexibility as to the source of 
a notification and a corrective action taken, which is more clearly 
outlined in the exceptions in 105 b(2). This will provide a broad- 
ened approach based on company policy. 

Paragraph b(l), corrective action implies that there is an effec- 
tive process within an organization to monitor threat warnings and 



21 


know when to effectively apply remediation. This is a critical secu- 
rity capability. 

In paragraph c the process for how the Commission will base the 
decision to hold the organization culpable in violating section 105 
is unclear. We agree on the importance of the role placed on self- 
regulatory programs as defined in section 106. 

In e, the requirement for regular compliance testing which shall 
take place not less frequently than every 4 years ensures self-re- 
views and self-certifications are accurate. Companies should be 
given the choice of addressing this compliance testing through their 
own internal audit programs, through privacy consultants and 
through public accounting firms. 

We would be glad to work with your staff on these points. 

Mr. Chairman, we appreciate the opportunity to testify on H.R. 
4678. We want to continue working with you next year on this leg- 
islation. If it becomes necessary to pass a consumer privacy bill, 
then we want to make sure that it supports the growth of addi- 
tional economy rather than placing roadblocks in the way and lim- 
iting those who can enjoy the benefits of the new economy. 

Thank you. 

[The prepared statement of Rebecca Whitener follows:] 

Prepared Statement of Rebecca Whitener, Director of Privacy Services, 
EDS Security and Privacy Services 

Thank you Mr. Chairman. 

It is a pleasure to be here today to discuss HR 4678, the Consumer Privacy Pro- 
tection Act of 2002. 

I am Rebecca Whitener, Director of Privacy Services for EDS. In that capacity I 
am responsible for the global strategy, service line offering development, and meth- 
odology for EDS client-focused Privacy services. Prior to joining EDS, I was a co- 
founder and Chief Operating Officer of Fiderus, a Security and Privacy Consulting 
firm, and before that a Principal in charge of global privacy services at IBM. In my 
career, I have worked with companies around the world to develop business solu- 
tions for security and privacy. In 2000; I had the privilege of serving on the Federal 
Trade Commission Advisory Committee for Online Access and Security. 

Privacy is one of those issues that generate a great deal of passion in any discus- 
sion. We Americans have always viewed privacy as a core principle of our society 
and democratic way of life. We hold privacy dear and defend it with great vigor 
when we believe it is threatened. 

But the Digital Economy, with all its promises, poses interesting dilemmas on our 
view of privacy. For instance, do we consider an online bookseller sending us an e- 
mail about a release from our favorite author an invasion of privacy or effective 
marketing? Do we feel that the selling of information to a third party so that we 
can be made aware of a new product is an abuse of consumer trust or an important 
source of information? 

Mr. Chairman, HR 4678 is the culmination of many hearings and discussions with 
people of different points of view. You have proceeded carefully and are to be com- 
mended for that approach. Your bill understands that the protection of privacy and 
data and the ability to share information, are good for business and consumers 
alike. 

EDS’ Chairman and CEO Dick Brown is chairman of the Digital Economy Task 
Force of the Business Roundtable. That task force has made several recommenda- 
tions on how we should proceed in ensuring that any legislative remedies do not 
impede electronic commerce. 

First, do not hinder self-regulation efforts of industry to give consumers informed 
choice. By and large, industry has done a good job. If a company decides to share 
information in a perceived detrimental way, the market is pretty quick to act. 

Second, ensure consistency and certainty in the marketplace through a national 
standard in rules. Without strong federal preemption there will be confusion among 
consumers, and business will reconsider engaging in more efficient, electronic trans- 
actions. Many states are now pursing their own legislative remedies and the patch- 
work of laws that may emerge will surely be a roadblock to the Digital Economy. 



22 


Next, have one federal agency responsible for regulating consumer privacy. Again, 
it is unrealistic to expect business and consumers to coordinate with multiple enti- 
ties. 

Fourth, treat e-commerce as any other form of commerce. The Internet is becom- 
ing so ingrained in business processes that e-commerce should not be singled out 
for any special regulatory treatment. Unfortunately, there are those who seek to dis- 
criminate against this way of doing business. 

Fifth, keep a level, consistent playing ground between government and business. 
Do not prohibit the selling of information by the ABC book company while allowing 
the Department of Motor Vehicles to sell drivers’ license records. 

Finally, there should not be any new private right of action. It is just not nec- 
essary. The market and existing laws and regulations will do the job. 

Mr. Chairman, HR 4678 goes a long way to meeting these requirements. And it 
encompasses much of what EDS has included in its Global Privacy and Data Protec- 
tion Policies. 

There are, however, several specific issues I would like to highlight in certain sec- 
tions of the bill. 

In Section 101, Privacy Notices to Consumers, subsection b (Forms and Content 
of Notice), point two could also include a physical mail address as an option for ob- 
taining a privacy statement. In that same subsection, point three would be strength- 
ened if it read “If the notice is required under subsection (a)(2), a statement that 
there has been a material change in the organization’s privacy policy, and where 
in the privacy policy the change! s) have occurred. 

A comment on Section 109, Effect on Other Laws, subsection d. This is most wel- 
come as we see states passing inconsistent privacy laws. The other thing we are see- 
ing is that some counties and even cities are contemplating passing laws because 
they don’t think the state laws do the right job. If cities start doing the same thing 
then we will never know what law prevails. Preemption must be part of any legisla- 
tion. 

In the Improved Identity Theft Data section, a reflection of some of the best prac- 
tices that are starting to appear in the proposed state measures may be useful, par- 
ticularly as they relate to the use of social security numbers. 

In Section 304, Harmonization of International Privacy Laws, Regulations and 
Agreements, the approach is on target. Businesses should have the freedom to oper- 
ate globally under harmonized laws. Processes that leave the door open for a claim 
of inadequacy and that continue a bilateral agreement do little to promote e-com- 
merce. 

We are especially pleased to see that you have addressed security concerns in 
your legislation. Cyber security continues to be a growing problem and there are sig- 
nificant indications that more should be done to protect data and networks. 

The numbers are staggering. In 2000, computer viruses worldwide cost $17.1 bil- 
lion in damages. EDS alone counters more than 650 attempted break-ins and three 
new viruses every day on servers it runs for 2500 clients. A major virus like Code 
Red or ILOVEYOU costs billions to eliminate. 

The release last week of the President’s National Strategy to Secure Cyberspace 
is a step in the right direction. It highlights many of the areas that must be ad- 
dressed so that consumers can be confident that their transactions and information 
shared with government and business are secure. 

As part of our education effort on the urgency of protecting our economic infra- 
structure, we are submitting a high level security and privacy checklist that can be 
used by companies, organizations and governments. It may seem simple and 
straightforward but we find a number of entities needing advice about the basic 
steps. 

Now on to some specific comments about Section 105. 

In paragraph a(2) we agree with the requirement that senior management con- 
sider and approve an information security policy. Security awareness needs to be 
raised in the consciousness of senior management and this will go a long way to 
that end. 

Paragraph a(3)(B) makes a great deal of sense. Most organizations have someone 
responsible for IT security but in many cases they aren’t designated or there are 
unclear lines of responsibility. 

Paragraph b(l): There are a number of sources that can be used for timely notifi- 
cation. We believe that flexibility as to the source of the notification and the correc- 
tive action taken, which is more clearly outlined in the Exceptions in 105(b)(2). This 
will provide a broadened approach based on company policy. 

Paragraph b( 1): Corrective action implies that there is an effective process within 
an organization to monitor threat warnings and know when to effectively apply re- 
mediation. This is a critical security capability. 



23 


In Paragraph c, the process for how the Commission will base a decision to hold 
the organization culpable in violating Section 105 is unclear. 

We agree on the importance of the role placed on self-regulatory programs as de- 
fined in Section 106. In (E) the requirement for “regular compliance testing which 
shall take place not less frequently than every 4 years” to ensure self-reviews and 
self-certifications are accurate. Companies should be given the choice of addressing 
this compliance testing through their own Internal Audit programs, through privacy 
consultants, and through public accounting firms. 

We would be glad to work with your staff on these points. 

Mr. Chairman, we appreciate the opportunity to testify on HR 4678. We want to 
continue working with you next year on this legislation. If it becomes necessary to 
pass a consumer privacy bill then we want to make sure that it supports the growth 
of the Digital Economy rather than placing roadblocks in the way and limiting those 
who can enjoy the benefits of the new economy. 

I will be happy to answer any questions. 

Thank you. 

Mr. Stearns. Thank you. 

Ms. Barrett. 


STATEMENT OF JENNIFER BARRETT 

Ms. Barrett. Thank you, Mr. Chairman. 

Mr. Stearns. I also want to thank you. I think you came the far- 
thest to be here this morning. 

Ms. Barrett. Thank you. I guess I did. 

Thank you, Chairman Stearns and members of the sub- 
committee. Thank you for the opportunity to again participate in 
your hearings and today share the perspective of three companies 
on Titles I and III of H.R. 4678. The companies are Acxiom Cor- 
poration, a leading provider of innovative data management serv- 
ices and technology; Experian Marketing Services, a division of 
Experian North America, a leader in enabling organizations to 
make fast, informed decisions to improve and personalize relation- 
ships with their customers; and third, Trilegiant Corporation, one 
of the Nation’s largest direct mail marketers and member service 
providers. Our clients represent a who’s-who of America’s leading 
companies, and we are always proud of the reputation for helping 
them sell better products, smarter, faster and at a lower cost. 

We strongly support a balanced approach to the use of personal 
information. We believe that the inappropriate use of information 
to defraud or discriminate must be illegal. At the same time, the 
free flow of information this Nation enjoys today has greatly con- 
tributed to our economic growth and stability. Because of informa- 
tion sharing, consumers have greater choice in variety, goods and 
services cost less, and transactions are completed faster and more 
easily. 

First, we want to commend the committee for the extensive and 
thoughtful approach that it has taken in drafting this legislation. 
This committee has studied the complex issues involving consumer 
privacy to a greater degree than any other body of Congress, and 
your understanding of these issues is reflected in the bill. 

One of the key questions in today’s debate about privacy is 
whether legislation should be specific to the on-line sector or 
whether legislation should be particular, technology neutral, cov- 
ering both on- and off-line. It is difficult to argue that a corpora- 
tion’s policies should be different in these two worlds since every 
growth-oriented company inevitably combines data from both. How- 



24 


ever, there are practical and important differences in how notice 
can be delivered and choice can be exercised. 

In order to be fair to all mediums, the standard for providing a 
policy must be upon request. The interactive nature of the Internet 
allows a consumer to make an immediate informed choice about in- 
formation use. However, this interactive model is difficult, if not 
impossible, to achieve in the off-line world. 

We believe section 101 of the bill is intended to recognize and 
allow for these practical differences, and we want to continue to 
work with the committee to ensure that this upon-request distinc- 
tion is clear in the law so that businesses have the necessary flexi- 
bility to conduct successful marketing campaigns in this difficult 
economic environment. 

With regard to self-regulatory programs, section 106 of the bill 
recognizes the important role that these initiatives have played. 
Seal programs such as BBBOnline and TrustE, along with the Di- 
rect Marketing Association’s “Privacy Promise” represent effective 
self-regulatory standards for on-line, off-line and telephone-based 
relationships. These practices have a proven record of success and 
conform nicely to the provisions in H.R. 4678, and we therefore 
support the bill’s language with regard to approved self-regulatory 
programs. 

Enforcement is one of the most difficult aspects of privacy that 
we have to deal with. We believe H.R. 4678 has proposed a reason- 
able enforcement mechanism by building on existing proven meth- 
ods. Far too often legislation is simply not enforced for one reason 
or another. However, an increasing number of recent successful en- 
forcement actions have been taken by the Federal Trade Commis- 
sion demonstrating its effectiveness in the privacy area. 

Furthermore, with the straightforward nature of the bill, the 
three companies agree with the committee that the need to pre- 
scribe regulations is not necessary to enforce this title. Since there 
are in excess of 15 Federal privacy-related laws in the U.S., it is 
critical that any broad-based piece of legislation recognize and re- 
spect these existing laws and not create conflicting requirements. 

There are specific practices that need to be treated differently 
from general information collected and used by commercial entities, 
such as affiliate sharing of credit information within a financial in- 
stitution, as covered under the Fair Credit Reporting Act, and the 
sharing of sensitive information about children, covered under 
COPPA. 

Section 109 recognizes these specific situations and provides the 
right kind of harmonization with other existing laws. 

Section 109(d), Preemption of State Privacy Laws, is a necessary 
requirement for both consumers and business. Nothing will be 
more confusing to consumers than to have differing privacy laws in 
each State or locality. As we have seen with financial laws recently 
passed in North Dakota and the rush to enact similar laws at the 
local level, such as those in Daly City, Contra Costa County and 
Berkeley, California, a myriad of conflicting State or local laws 
make it imperative that a preemptive bill of this nature become 
law. 

There are three risks if States and localities are permitted to 
continue to enact their own privacy laws. First, is that the State 



25 


and local governments lack the dedicated resources to conduct a 
thorough analysis of the issues that this committee has done. And, 
in addition, privacy becomes a very political issue. 

Second, for consumers, understanding their rights and being able 
to easily enforce them when an infraction occurs will be extremely 
difficult, which in turn seriously diminishes the effectiveness of the 
law. 

And third, local law enforcement historically has not focused on 
these kinds of issues, while the FTC has the resources and needed 
expertise. 

In short, without preemption, consumers will be confused and 
the effectiveness of enforcement will be reduced. 

Finally, I would like to comment on one aspect of the bill that 
is not found, and this is the issue of access. We believe that by not 
requiring — including the requirement for consumer access, H.R. 
4678 has properly recognized the inherent pitfalls of such a re- 
quirement. Each of the four fair information practices principles — 
notice, choice, access and security — must be applied uniquely to 
strike a balance between the value gained by consumers, business 
and society and the associated cost. 

The primary purpose of access is to assure that information a 
company maintains about an individual is accurate. However, ac- 
cess for the sake of curiosity is never justified. Today, without even 
a legal mandate, companies provide consumers ready access to cur- 
rent account information. Coupled with the consumer’s ability to 
opt out of having his or her name shared for unrelated purposes 
and the underlying concern about privacy and accuracy are thus 
satisfied. 

In conclusion, while the three companies I represent today might 
not agree on all the detailed provisions of H.R. 4678, we believe Ti- 
tles I and II represent a very balanced approach to protecting con- 
sumers’ privacy while allowing information flows that bring value 
to the consumer. I do, however, urge the committee to work closely 
with the credit bureaus and their trade associations to make sure 
that Title II is effective in preventing identity theft. 

Mr. Chairman, thank you for the opportunity today to testify on 
behalf of Acxiom, Experian Marketing Services and Trilegiant. I re- 
quest our formal statements be entered into the record and am 
pleased to answer any questions. 

[The prepared statement of Jennifer Barrett follows:] 

Prepared Statement of Jennifer Barrett, Chief Privacy Officer, Acxiom 

Corporation 

Chairman Stearns, Ranking Member Towns, and members of the Subcommittee, 
thank you for the opportunity to participate in this timely hearing and to share the 
perspective of the Companies on Titles I and III of H.R. 4678 — the “Consumer Pri- 
vacy Protection Act of 2002”. The three corporations listed in the caption sheet 
strongly support a balanced approach to the use of personal information. Descriptive 
information on these companies may be found in the appendix attached. 

I will not make specific comments about Title II. Instead, I urge the Committee 
to work closely with the Credit Bureaus and their trade associations to make certain 
Title II is effective in preventing identity theft and improves the remedies available 
for those whose identity has been stolen. 

Information products from our three companies fill an important gap in today’s 
business-to-consumer relationship. In our information-based economy, companies 
succeed not just by meeting their customers’ expectations, but by exceeding them 
with superior products and services of the highest quality. Businesses do not in- 



26 


stinctively know everything their customers want and thus need information to bet- 
ter understand what consumers both want and need. Companies such as Acxiom, 
Experian and Trilegiant are the vehicles by which businesses acquire or better use 
this vital consumer information. 

The efficient flow of consumer information to businesses has significantly contrib- 
uted to our nation’s economic growth and stability by (1) enhancing variety in con- 
sumer goods and services; (2) facilitating lower domestic prices as compared to for- 
eign markets; and (3) accelerating the speed and ease with which transactions can 
be completed. This flow should be permitted to continue. 

Notwithstanding these successes, the inappropriate use of information to defraud 
or discriminate against consumers should be illegal. H.R. 4678 is a bill that makes 
every effort to balance these concerns, and we are pleased to be here today to com- 
ment specifically on a number of aspects of the bill. 

Comprehensive Coverage of Both Online and Offline Practices 

In the debate about data privacy, public policy makers are asking some very good 
questions regarding whether legislation should be specific to the online sector or 
technology neutral covering both online and offline practices. 

It is difficult to argue that a corporation’s policies governing the collection and use 
of personally identifiable information should be different in the online and offline 
environments. Further, even if legislation was focused only on online information, 
the offline environment would be affected equally, since online and offline data is 
inevitably combined at some point by every company. 

Even so, there are practical differences in the online and offline worlds that policy 
makers must carefully consider for legislation that is technology neutral. Self-regu- 
latory regimes already in place recognize these practical differences, so policy mak- 
ers should look to these practices as the basis of any future legislation deemed nec- 
essary. 

Most of the clients of our three companies, as well as our data sources, operate 
in multiple environments, too. For example, many catalog companies have an online 
catalog, and many retailers are becoming dominant forces on the Internet. In fact, 
only a very few companies exist solely in an online environment today — and even 
these companies depend on offline information, which they merge with online infor- 
mation, to increase efficiency and to stay competitive. 

However, there are important differences in how notice can be delivered and 
choice exercised in the online and offline environments. Understanding these dif- 
ferences is at the heart of the online/offline debate because self-regulatory practices 
or legal standards must allow enough flexibility to provide consumers effective no- 
tice and choice across different media. 

In order to be fair in all mediums, the standard for providing a full statement 
of information practices, usually referred to as a privacy policy, must be “upon re- 
quest.” 

Online Notice 

In an interactive online environment, an “on-request” standard can easily be pro- 
vided by a conspicuous link to a privacy policy. The interactive nature of the Inter- 
net also allows a consumer to make immediate, informed choices about how his or 
her information can be used. In the marketing industry, “opt-out” is the standard 
for informed consent, but the interactive nature of the Internet is also allowing new 
voluntary methods of permission-based marketing to flourish as well. This inter- 
active nature has resulted in the wide spread acceptance of online privacy standards 
like those proposed in Title I. Nearly 100 percent of the 100 largest consumer 
websites have a link to a privacy statement. 

Offline Notice 

However, this interactive model is difficult, if not impossible, to achieve in the off- 
line marketing context. In the telemarketing environment, delivering the same kind 
of notice and gaining the same kind of consent would be financially onerous, could 
destroy otherwise successful marketing campaigns, and could result in very negative 
customer relations. 

In the offline environment, there must be flexibility to deliver notice and choice, 
upon request, through the mail in paper form. Alternatively, businesses should be 
able to direct consumers to a telephone number or website to access a company’s 
policy. Also, retailers should be allowed to deliver notices at the checkout counter. 
In other words, businesses must have the flexibility to adopt practices that best 
meet the medium in which they are engaged, even though notice and choice about 
marketing information should be the policy in all mediums. 

We believe Sections 101 (a) and (b) of H.R. 4678, Privacy Notices to Consumers, 
Notice Required and Form and Contents of Notice, are intended to recognize and 



27 


allow for these practical differences in collection, notice and choice methods that 
exist in the online, offline and telephone environments. We want to continue to work 
with the Committee to ensure this “upon request” distinction is clear in the law, 
so that businesses have the necessary flexibility to conduct successful marketing 
campaigns in this difficult economic environment. 

Self-Regulatory Programs 

Section 106, Self-Regulatory Programs, further recognizes the important role of 
self-regulatory programs that have served both the consumer and the business com- 
munity well in areas of information use where legislation has not previously existed. 

Such programs as the online seal programs from BBBOnline and TrustE, along 
with the Direct Marketing Association’s “Privacy Promise,” represent very effective 
self-regulatory standards for online, offline and telephone based relationships. These 
practices generally require companies to provide consumers choice through an op- 
portunity to “opt-out” of information sharing, to develop appropriate guidelines to 
keep the information secure, offer the consumer third party recourse for settling dis- 
putes, and the option to go to the Federal Trade Commission under Section 5(a)(1) 
of the Federal Trade Commission Act (15 U.S.C. 45 (a) (1)) where prior efforts to 
resolve the conflict have failed. 

All of these practices, which are in effect today and have a proven record of suc- 
cess, conform nicely with the provisions in H.R. 4678, and we therefore support the 
bill’s language with regard to self-regulatory standards. 

Enforcement 

We believe H.R. 4678 has proposed a reasonable enforcement mechanism in Sec- 
tion 107, Enforcement, by building on existing and proven enforcement methods. By 
doubling the amount of fines that may be imposed, this approach to enforcement 
becomes an even more effective deterrent. 

Enforcement is one of the hardest aspects of privacy with which to deal. Far too 
often, legislation is not enforced for one reason or another. However, an increasing 
number of successful enforcement actions have recently been undertaken by the 
Federal Trade Commission. Such actions have demonstrated the effectiveness of the 
FTC in dealing with privacy and security issues. 

Furthermore, with the self-regulatory choices and the straightforward nature of 
the provisions of H.R. 4678, the Companies agree with the Committee that the need 
to prescribe regulations is not necessary to enforce this title. The regulations in ef- 
fect already exist in the Federal Trade Commission Act. 

Harmonization with Other Laws 

Since there are in excess of fifteen (15) federal privacy-related laws in the U.S., 
it is critical that any broad-based legislation, such as H.R. 4678, recognize and re- 
spect these existing laws and not create conflicting requirements that do not serve 
either the consumer or the business community. 

There are specific practices that need to be treated differently from general per- 
sonal information collected and used by commercial entities, such as affiliate shar- 
ing of credit information within a financial institution covered under the Fair Credit 
Reporting Act, and the sharing of sensitive information about children under the 
age of 13 under the Children’s Online Privacy Protection Act. 

In Section 109, Effect on Other Laws, H.R. 4678 properly recognizes these various 
laws and the requirements they each impose and offers the right kind of harmoni- 
zation. 

State Preemption 

Section 109(d), Preemption of State Privacy Laws, is a necessary requirement both 
for the consumer and the business community. Nothing will be more confusing to 
concerned consumers, nor create more inefficiency to commerce, than to have dif- 
fering privacy laws in each state or locality. As we have seen recently in North Da- 
kota, and at the local level in Daly City, Contra Costa County and Berkeley, Cali- 
fornia, there appears to be a rush to enact unduly restrictive financial privacy laws. 
We suggest that these laws serve no other purpose than to dramatize the need for 
federal preemption, which H.R. 4678 offers. 

If states and localities are permitted to continue enacting their own versions of 
privacy laws, several risks exist. First, in light of the fact that no state or locality 
is likely to have the necessary resources to conduct a comprehensive and thorough 
analysis of the issues surrounding the use of information such as this committee has 
conducted, plus the fact that the privacy issue is a very highly charged political 
issue, legislation passed by states and localities will almost surely result in serious 
unintended consequences. Second, for consumers, to understand their rights and be 
able to easily enforce their rights when they believe an infraction has taken place 



28 


will be extremely difficult, thereby diminishing the effectiveness of any enforcement 
action. Third, local law enforcement has not historically focused on these kinds of 
issues and the Federal Trade Commission has more resources and more expertise 
to deal with consumer complaints regarding privacy than any state or local author- 
ity. In short, without state preemption, consumers will be confused and the effec- 
tiveness of enforcement will be reduced. 

International Issues 

Title III — International Provisions — offers a good first step to address the growing 
concern of companies doing business outside the U.S. regarding the wide variety of 
privacy laws enacted in other countries. 

Dealing with information flows across borders is an extremely complex issue and 
we have far too few facts on which to evaluate effective solutions. The bill’s require- 
ment that the Comptroller General of the United States conduct a study and make 
recommendations regarding remediation of discriminatory activities should provide 
the facts needed to identify solutions that will work. 

Access to Information 

Few would argue that the four Fa ir Information Practices Principles — notice, 
choice, access and security — are not important consumer rights. Unfortunately, 
these principles are usually recited without considering their true complexity. Prac- 
tical approaches such as H.R. 4678 — whether statutory or self-regulatory — recognize 
that each of these principles must be applied in sensible ways appropriately tailored 
for the purpose for which the information is used. 

The application of each principle must strike a balance between the value gained 
by consumers, businesses and society and the costs associated with each. Sometimes 
that balance prohibits application of one or more of the fair information principles. 
For example, under the Fair Credit Reporting Act (FCRA), the nation’s oldest pri- 
vacy statute, consumers do not have a choice about being included in the national 
credit reporting system. If choice were an option, those who are lax on paying their 
bills would probably choose not to have that information disclosed to potential lend- 
ers which would result in increased lending risk for creditors and increased credit 
costs for consumers. In effect, there would be fewer financial service products for 
consumers. 

The principle of access, arguably the most complex issue in the debate about con- 
sumer privacy, must be thoughtfully applied because it raises significant privacy, 
data security and cost considerations for consumers, businesses, and society in gen- 
eral. Unfortunately, perhaps because of the complexity of this issue, many legisla- 
tive proposals dispense with the access principle by simply citing the obscure stand- 
ard that “reasonable access” should be provided upon the consumer’s request. While 
sounding sensible on its face, such an undefined standard delegates too much au- 
thority to regulators and the courts to develop public policy about consumer access. 

As explained below, we believe that, by not including a requirement for consumer 
access, H.R. 4678 has properly recognized the inherent pitfalls of such a require- 
ment. 

Allowing consumer access, by the very nature of the process, makes the data less 
secure. As a result, appropriate authentication and verification systems would have 
to be implemented. Providing access also means that information held by an organi- 
zation must be collected into personal, comprehensive profiles, which raises new pri- 
vacy concerns. Finally, the costs associated with data collection, new security sys- 
tems for authentication, and customer service staff necessary to administer disclo- 
sure, dispute and correction systems, can be enormous. 

The primary purpose of access is to make certain the information a company 
maintains about an individual is accurate. For example, if a company’s use of inac- 
curate or fraudulent information could cause harm to an individual through over- 
billing, or is used to make a decision that could deny a consumer a benefit or service 
such as credit, insurance or employment, then access should be provided. In these 
cases, it is in the best interest of both the consumer and the business to be sure 
the personal information about a consumer is correct. 

However, access for the sake of curiosity is not justified when the costs to society 
and the threat to personal privacy are significant. In such instances, access should 
be discouraged if there is no legitimate identified harm to an individual such as a 
denial of a benefit or service. 

Today, even without a legal mandate, almost every company provides consumers 
ready access to current account information, the very information which, if inac- 
curate, could result in a benefit or service being denied. This kind of targeted access 
to personal information reflects business’ interest in accurate, up-to-date records for 
billing purposes, as well as a customer-focused response to consumer demand. Many 



29 


Internet-based companies offer access not only to account and billing information 
but also to customer-supplied information used to predict consumer preferences. 

Providing access to consumers would be of little benefit, and such access likely 
would pose a greater threat to privacy than currently exists. The nature of informa- 
tion in marketing databases would limit identity authentication largely to name and 
address (which is widely available in public sources, such as telephone directories) 
and, therefore, would greatly limit the ability of businesses to validate consumer 
identities for disclosure purposes. Accordingly, access requirements should be con- 
structed so as to balance the benefits to consumers against the security risks to 
them, and the costs to companies that hold the data. 

Allowing access to marketing databases would be enormously expensive. While 
that expense is justified and necessary with regard to information governed by the 
Fair Credit Reporting Act, it is of questionable value for data used only for mar- 
keting purposes. 

A consumer’s current ability to opt out of having their name shared for direct 
marketing purposes satisfies the underlying concern about privacy and accuracy 
without imposing undue and unnecessary costs to businesses or risks to consumers 
that would result from access requirements. 

H.R. 4678 has rightly not included a provision for access in the bill. 

Conclusions 

While Acxiom, Experian and Trilegiant do not agree on all the detailed provisions 
of H.R. 4678, we believe the bill, in its current form, and subject to the our com- 
ments herein, represents a well-intentioned, balanced approach to protecting con- 
sumer privacy while allowing information flows that bring value to consumers and 
to our economy. We look forward to working with you to ensure these intentions are 
realized throughout the legislative process. 

Mr. Chairman, thank you for the opportunity to appear today on behalf of these 
three companies, Acxiom Corporation, Experian Marketing Services and Trilegiant. 
I am prepared to furnish any additional information to the Committee, and answer 
any questions you may have. 


APPENDIX 

The Companies include some of the most prominent organizations in the country 
involved in helping facilitate the appropriate use of information in ways that bring 
value to both the consumer and the business community. 

Acxiom Corporation 

For over thirty years, Acxiom Corporation has provided data management services 
and technology. The company helps both large and small businesses sell better prod- 
ucts and services smarter, faster, and at a lower cost. Acxiom’s business includes 
two distinct components: database management services and information products. 
Database management services, representing almost 90% of the company’s revenue, 
assist businesses in better managing their customer information, helping them save 
costs and secure a better return on their marketing efforts. Acxiom’s information 
products — directories, customer enhancement and list products — provide needed in- 
telligence to help businesses overcome the time and distance of less-personal cus- 
tomer relationships. 

Acxiom has approximately 5,000 employees worldwide, has processing centers in 
Arkansas, Illinois, Arizona and California, and has operations in the UK, Australia, 
France and Japan. 

Experian Marketing Services 

Experian is one of the world’s leading information solutions companies. Experian 
Marketing Solutions enables organizations to make fast, informed decisions to im- 
prove and personalize relationships with their customers. This is done by combining 
decision-making software and systems with some of the world’s most comprehensive 
databases of information about consumers, businesses, and property. 

Experian Information Solutions is a consumer reporting agency that enables busi- 
nesses to make objective, safe, secure loans and minimize other credit-related losses, 
while providing consumers instant access to credit. Experian also provides reference 
services, analytic services, and consulting solutions. Experian employs 6,500 people 
in North America, with major facilities in Costa Mesa, CA; Allen, TX; Denver, CO; 
Atlanta, GA; Mt. Pleasant, IA; Schaumber, IL: Lincoln, NE; Parsippany, NJ; Al- 
bany, NY; New York City, NY; Rye, NY; and Rutland, VT. 



30 


Direct Marketing Services 

Experian direct marketing services help bring businesses and their customers to- 
gether. Businesses rely on Experian to help them better understand their markets 
and the characteristics of the people who do business with them. Understanding the 
marketplace makes possible faster, more efficient product development and delivery, 
better retail outlet and service center locations, improved customer service, more 
cost-effective advertising, and lower costs for consumers. By identifying the charac- 
teristics of consumers likely to be interested in certain kinds of products and serv- 
ices, Experian helps marketers more efficiently reach consumers who are most likely 
to be interested in a business’s products or services. 

Credit Reporting 

Experian and the companies from which it was formed have provided credit re- 
porting services for more than 100 years. Today, hundreds of millions of credit re- 
ports are provided to lenders annually. The ability of creditors to check a person’s 
credit references in an instant enables them to make rapid, sound, and objective 
lending decisions. That ability helps consumers get the credit they need and deserve 
faster and cheaper than anywhere else in the world. 

Customer Relationship Management 

Experian helps businesses establish and develop long-lasting customer relation- 
ships through responsible information use. We help businesses get a clearer picture 
of their customers across multiple business units and market segments. We help 
companies understand why certain kinds of people shop with them and what the 
customer needs. With that clearer understanding, Experian then is able to provide 
information services that help businesses initiate relationships with new customers, 
assist the businesses in developing new, desirable products and services, and aid in 
providing pleasant shopping and effective customer service. The result is a better 
shopping experience for consumers and more profitable operation for businesses. 

Automotive Information Services 

Experian Automotive Information Services specialize in the collection and dis- 
semination of vehicular data from each of the 51 United States jurisdictions. The 
information is utilized to provide valuable services to auto dealers, manufacturers, 
consumers and advocacy organizations, advertising agencies and internet informa- 
tion sites, law enforcement and tollway authorities. Detailed vehicle history reports 
enable consumers to make informed used-auto purchasing decisions. Manufacturers 
rely on our services to manage recalls and conduct market analysis to manage prod- 
uct supply and improve service. 

Electronic Commerce Services 

Experian’s electronic commerce division helps businesses establish a presence in 
the electronic marketplace, develop relationships with online consumers, and ensure 
consumers and businesses enjoy positive, safe transactions. 

Individual Reference Services 

Experian reference services help people, businesses, non-profit organizations, gov- 
ernment agencies, law enforcement, and other organizations identify, locate, and 
verify the identity of individuals. The most recognized individual reference services 
are the telephone book and directory assistance — services you use every day. They 
usually include only names, addresses and telephone numbers. More sophisticated 
reference services may include information about whether you own a home or rent 
an apartment, how long you have lived in the same location, and if there are addi- 
tional household members. Sensitive identifying information such as your Social Se- 
curity number, drivers license number, and date of birth is included in some ref- 
erence services. These services, however, are limited to use by law enforcement, gov- 
ernment agencies, and other organizations with a legitimate and appropriate need 
for such information. 

Trilegiant Corporation 

Trilegiant Corporation is one of the country’s largest direct mail marketers. 
Trilegiant offers consumers the opportunity to join various membership clubs that 
provide valuable services, significant discounts and other member privileges. 
Trilegiant’s membership clubs provide a wide array of financial and consumer-based 
individual services, including those relating to shopping, travel, auto, personal fi- 
nance and other membership programs that make their lives more convenient and 
secure. We were a pioneer in the direct marketing and membership services busi- 
ness and have been active for over 27 years, and we currently have over 23 million 
members in the U.S. who enjoy our services. Trilegiant partners with many of the 



31 


nation’s leading financial, retail and media entities to enable them to enhance their 
customer loyalty and brand affinity and to generate additional revenue. 

Each year, Trilegiant mails hundreds of millions of pieces of consumer correspond- 
ence, receives tens of millions of inbound telemarketing calls, and conducts millions 
of outbound telemarketing calls. Trilegiant also is a major on-line marketer and 
partners with many of the country’s largest on-line businesses and markets its serv- 
ices through hundreds of millions of on-line impressions. 

Trilegiant has over 3,000 employees in facilities across the nation. 

Mr. Stearns. By unanimous consent, so ordered. And I thank 
you. 

Mr. Misener. 


STATEMENT OF PAUL MISENER 

Mr. Misener. Mr. Chairman and Mr. Boucher, Mr. Bass, thank 
you very much for inviting me to testify today. 

Amazon.com is the Internet’s leading retailer. As I described in 
detail in my testimony before this subcommittee last year, Ama- 
zon.com uses consumer information to personalize the shopping ex- 
perience at our on-line store and thus help our customers find and 
discover anything they may want to buy. 

At the same time, Amazon.com is pro-privacy. We make ever ef- 
fort to provide our consumers outstanding privacy notice, choice ac- 
cess and security. 

Mr. Chairman, through your steadfast leadership and the dedi- 
cated efforts of the members and extraordinarily talented staff of 
your subcommittee and the full committee, you have amassed what 
likely is the world’s most comprehensive legislative data base on 
consumer information privacy. You have held now seven highly in- 
formative hearings and countless meetings with company associa- 
tion representatives, public interest advocates and academics. Your 
willingness to listen impartially to all parties is well known and 
greatly appreciated. It is not surprising therefore that you have in- 
troduced, with bipartisan support, such an excellent bill, H.R. 4678. 

The essential purpose of your bill, if I may summarize it, is to 
provide consumers a baseline of information privacy protection re- 
gardless of the specific type of information involved, regardless of 
the medium through which it is collected and regardless of where 
a consumer is located in the United States. This approach works 
very well with the existing U.S. Privacy law, which provides addi- 
tional protections for particularly sensitive information, such as 
medical and financial records and particularly hazardous situations 
such as unsupervised children online. 

As I will describe in detail momentarily, H.R. 4678 includes the 
three indispensable components about which I testified in your sub- 
committee last year. H.R. 4678 goes even further by addressing, 
head on, the issue consumers often cite as their principal, quote, 
“privacy concern,” which is identity theft. All in all, Mr. Chairman, 
H.R. 4678 is an excellent bill. 

I must explain, however, that Amazon.com is not actually seek- 
ing privacy legislation. For several reasons, we believe it would not 
be proper for us to do so. First, if we were to argue that a bill must 
be passed, we might incorrectly be viewed as suggesting that a bill 
is necessary in order to make our company protect consumer pri- 
vacy. But Amazon.com already provides excellent privacy protec- 
tions to our customers. 



32 


Second, Amazon.com’s arguing that a bill must be passed could 
be misinterpreted to mean that we want Congress to force other 
companies to offer privacy protections at the level we already do. 
Frankly, however, we think our companies neglect consumer infor- 
mation privacy at their peril. The companies simply must offer ex- 
cellent privacy practices or else they will lose business. 

Third, if we actively seek passage of a Federal bill, it might be 
said we merely wish to preempt State legislation in this area. Al- 
though it is true that State-by-State legislation of consumer infor- 
mation privacy easily could produce an untenable and unconstitu- 
tional crazy quilt of rules with which an on-line company might 
find it difficult or impossible to comply. States, thus far, have heed- 
ed our warnings in this regard. 

Finally, by arguing that a bill must be passed, Amazon.com 
might mislead some observers into thinking that we believe the bill 
is necessary to improve consumer confidence on the Internet. Al- 
though we are aware of intuitive and compelling arguments that 
legislation is necessary to boost consumer confidence, we are not 
nearly so sure this is true, just as in the off-line retail world, con- 
sumers know there are both safe and unsafe places to shop. 

In sum, Mr. Chairman, we did not come before you today re- 
questing privacy legislation. Others have made a strong case for a 
new law. But for the reasons I have just articulated, Amazon.com 
is not prepared to make the same case. Nonetheless, Mr. Chair- 
man, if you and your colleagues determine that general consumer 
information privacy legislation is needed, Amazon.com fully sup- 
ports H.R. 4678 to meet this need. 

In my remaining time, I would like to offer our support in par- 
ticular for three essential aspects of H.R. 4678. Without any one of 
these components, Amazon.com, and I suspect many other compa- 
nies, could not support this bill. First and foremost, H.R. 4678 ad- 
dresses consumer information privacy holistically without regard to 
the medium through which the information is collected. This parity 
among media is both wise and fair. 

It is wise because there is no reason for legislation to treat, for 
example, the privacy of the person’s mailing address different if it 
were collected at an on-line Web site instead of at a mall kiosk or 
over the phone. 

Parity is fair to on-line business because the information privacy 
practices of competitors that happen to operate through different 
communications media would be treated the same. And most im- 
portantly, parity is fair to consumers because it would address 100 
percent of their retail transactions, rather than the mere 1 or 2 
percent conducted online. 

Amazon.com also supports H.R. 4678’s national approach to con- 
sumer information privacy. The inherent interstate nature of Web- 
based commerce demands a national solution. Your bill recognizes 
this fact by preempting relevant State law. 

Finally, Amazon.com supports the bill’s faith in the consistency 
and balance of a public enforcement mechanism. Consumers need 
a readable, not legalistic, privacy notice. Only a regulatory body 
such as the Federal Trade Commission is well positioned to balance 
the competing goals of legal precision and readability. 



33 


Let me summarize by saying that although we are not explicitly 
seeking privacy legislation, Amazon.com is, on behalf of our com- 
pany and customers, proud to support H.R. 4678, which wisely and 
fairly addresses consumer information uniformly among all meth- 
ods of collection, establishes a national system that avoids a hodge- 
podge of State and local rules and employs the consistency and bal- 
ance of a public enforcement mechanism. 

Thank you again, Mr. Chairman, for your attention to the facts 
and details of consumer information privacy. On behalf of our com- 
pany and customers, Amazon.com sincerely appreciates your per- 
spicacity. 

And last let me thank you for inviting me to testify. And I look 
forward to your questions. 

[The prepared statement of Paul Misener follows:] 

Prepared Statement of Paul Misener, Vice President, Global Public Policy, 

Amazon.com 

Chairman Stearns, Mr. Towns, and members of the subcommittee, my name is 
Paul Misener. I am Amazon.com’s Vice President for Global Public Policy. Thank 
you very much for inviting me to testify today. 

Amazon.com is the Internet’s leading retailer. As I described in detail in my testi- 
mony before this subcommittee last year, Amazon.com uses consumer information 
to personalize the shopping experience at our online store and, thus, to help our cus- 
tomers find and discover anything they may want to buy. At the same time, Ama- 
zon.com is pro-privacy: we make every effort to provide our customers outstanding 
privacy notice, choice, access, and security. 

Mr. Chairman, through your steadfast leadership, and the dedicated efforts of the 
members and extraordinarily talented staff of your subcommittee and the full com- 
mittee, you have amassed what likely is the world’s most comprehensive legislative 
record on consumer information privacy. You have held seven highly informative 
hearings and countless meetings with company and association representatives, 
public interest advocates, and academics. Your willingness to listen impartially to 
all parties is well known and greatly appreciated. 

It is not surprising, therefore, that you have introduced, with bipartisan support, 
such an excellent bill, H.R. 4678. The essential purpose of your bill, if I may sum- 
marize it, is to provide consumers a baseline of information privacy protection, re- 
gardless of the specific type of information involved; regardless of the medium 
through which it is collected; and regardless of where a consumer is located in the 
United States. This approach works very well with existing U.S. privacy law, which 
provides additional protections for particularly sensitive information (such as med- 
ical and financial records) and particularly hazardous situations (such as unsuper- 
vised children online). 

As I will describe in detail momentarily, H.R. 4678 includes the three indispen- 
sable components about which I testified to your subcommittee last year. Specifi- 
cally, your bill would address consumer information uniformly among all methods 
of collection; it would establish a national system that avoids a hodgepodge of state 
rules; and it would employ the consistency and balance of a public enforcement 
mechanism. H.R. 4678 goes even further by addressing head-on the issue consumers 
often cite as their principal “privacy” concern: identity theft. It also wisely would 
begin the process of examining how best to harmonize privacy protections world- 
wide. All in all, Mr. Chairman, H.R. 4678 is an excellent bill. 

I must explain, however, that Amazon.com is not actually seeking privacy legisla- 
tion. For several reasons, we believe it would not be proper for us to do so. First, 
if we were to argue that a bill must be passed, we might incorrectly be viewed as 
suggesting that a bill is necessary in order to make our company protect consumer 
privacy. But as I briefly outlined earlier, and described in detail in my testimony 
last year, Amazon.com already provides excellent privacy protections to our cus- 
tomers. In fact, H.R. 4678 likely would not require Amazon.com to alter its privacy 
practices in any substantial way: we simply do not need a new law to force us to 
provide outstanding consumer privacy protections. 

Second, Amazon.com arguing that a bill must be passed could be misinterpreted 
to mean that we want Congress to force other companies to offer privacy protections 
at the level that we already do. After all, it is a centuries-old tradition for market- 
leading companies to seek regulations that mirror their current practices, if for no 



34 


other reasons than to impose additional costs on existing competitors and market 
entry costs on potential competitors. Frankly, however, we think other companies 
neglect consumer information privacy at their peril: Companies simply must offer 
excellent privacy practices or else they will lose business, regardless of whether a 
law requires it. 

Third, if we actively seek passage of a federal bill, it might be said that we merely 
wish to preempt state legislation in this area. Although it is true that state-by-state 
legislation of consumer information privacy easily could produce an untenable and 
unconstitutional “crazy-quilt” of rules with which online companies might find it dif- 
ficult or impossible to comply, states thus far have heeded our warnings in this re- 
gard. A national privacy scheme, based on explicit preemption of state laws, is an 
essential component of any federal legislation but, obviously, until state laws are 
passed, no such preemption is necessary. 

Finally, by arguing that a bill must be passed, Amazon.com might mislead some 
observers into thinking that we believe a bill is necessary to improve consumer con- 
fidence on the Internet. Although we are aware of intuitive and compelling argu- 
ments that legislation is necessary to boost consumer confidence, we are not nearly 
so sure this is true. Just as in the offline retail world, consumers know there are 
both safe and unsafe places to shop. 

In sum, Mr. Chairman, we do not come before you today requesting privacy legis- 
lation. Others have made a strong case for a new law but, for the reasons I have 
just articulated, Amazon.com is not prepared to make the same case. 

Nonetheless, Mr. Chairman, if you and your colleagues determine that general 
consumer information privacy legislation is needed, Amazon.com fully supports H.R. 
4678 to meet this need. This bill is an excellent vehicle by which Congress could 
address the consumer information privacy concerns various parties have raised, and 
Amazon.com could continue to serve our customers well if it were enacted. 

In my remaining time, I would like to offer Amazon.com’s support for three par- 
ticular and essential aspects of H.R. 4678. Without any one of these components, 
Amazon.com — and, I suspect, many other companies — could not support this bill. 

First and foremost, H.R. 4678 addresses consumer information privacy holis- 
tically, without regard to the medium through which the information is collected. 
This parity among media is both wise and fair. It is wise because the personal con- 
sumer information collected offline (to the extent the terms “offline” and “online” 
have any meaning in today’s world of communications convergence) is as sensitive 
as or, often, is more sensitive than, information collected online. There is no reason 
for legislation to treat, for example, the privacy of a person’s mailing address dif- 
ferently if it were collected at an online website instead of at a mall kiosk or over 
the phone. 

This parity also is wise because online transactions often provide more consumer 
privacy protections than offline transactions. Indeed, brick-and-mortar retailers 
know their customers’ physical characteristics, including race, sex, weight, com- 
plexion, et cetera, but online retailers cannot. And unlike their online competitors, 
brick-and-mortar retailers also know their customers’ geographic location; we online 
retailers, on the other hand, do not know from where our customers access our 
Website. 

Parity also is fair to online businesses, because the information privacy practices 
of competitors that happen to operate through different communications media 
would be treated the same. And, most importantly, parity is fair to consumers, be- 
cause it would address 100% of their retail transactions rather than the mere one 
or two percent conducted online. Significantly, parity also would address the privacy 
concerns of those persons on the unfortunate side of the digital divide, not just those 
people who shop online. This bears repeating: an online-only bill would have the 
perverse effect of providing no privacy protections to those on the unfortunate side 
of the digital divide. 

In sum, H.R. 4678 wisely and fairly addresses consumer information privacy with- 
out regard to the medium through which it is collected. 

Amazon.com also supports H.R. 4678’s national approach to consumer information 
privacy. It would be difficult or impossible for nationwide entities such as our com- 
pany to comply with a “crazy-quilt” of state consumer privacy legislation. The inher- 
ent interstate nature of Web-based commerce — a single Web page is viewable from 
anywhere in the world — demands a national solution; your bill recognizes this fact 
by preempting relevant state law. 

Finally, Amazon.com supports the bill’s faith in the consistency and balance of a 
public enforcement mechanism. Consumers need readable, not legalistic, privacy no- 
tices. Only a regulatory body such as the Federal Trade Commission is well posi- 
tioned to balance the competing goals of legal precision and readability. Indeed, de- 
spite the bill’s emphasis on the readability of privacy notices, private litigants would 



35 


have no interest in protecting readability. If private enforcement were authorized, 
companies like Amazon.com might be forced to adopt Balkanized, legalistic privacy 
notices at the expense of consumer accessibility. Only a public enforcement mecha- 
nism, such as that included in H.R. 4678, would foster a tenable balance between 
the competing goals of accuracy and readability. 

Let me summarize by saying that although we are not explicitly seeking privacy 
legislation, Amazon.com is, on behalf of our company and customers, proud to sup- 
port H.R. 4678, which wisely and fairly addresses consumer information uniformly 
among all methods of collection; establishes a national system that avoids a hodge- 
podge of state and local rules; and employs the consistency and balance of a public 
enforcement mechanism. As I mentioned earlier, it also sensibly addresses consumer 
identity theft and the international aspects of privacy policy. 

Thank you again, Mr. Chairman, for your attention to the facts and details of con- 
sumer information privacy. On behalf of our company and customers, Amazon.com 
sincerely appreciates your perspicacity. 

Lastly, thank you for inviting me to testify; I look forward to your questions. 

Mr. Stearns. Nice to see you again. 

Mr. Rotenberg, you have the platform. You are probably one that 
can enlighten us a little differently. 

STATEMENT OF MARC ROTENBERG 

Mr. Rotenberg. I have somewhat different views, Mr. Chair- 
man, yes. And I would like to thank you and Mr. Boucher not only 
for the opportunity to be here this morning, but also to recognize 
the extensive work that has been done by this subcommittee and 
the members and the staff to tackle this very difficult issue. 

And I don’t think anyone on the panel would disagree that this 
is a difficult issue. At the same time, it is an important issue, and 
I would certainly like to be able to join the other witnesses this 
morning and say that we have a good bill and we are ready to go 
forward. But that is not my view, and I don’t believe that is the 
view of other consumer privacy organizations on the left or the 
right that have considered this issue. 

This is not just a concern, also, of the Washington policy groups. 
I think the reason that these witnesses are here today asking for 
this legislation is because over the last several years, all across this 
country, Americans have said to their elected officials, we need pro- 
tections for privacy; we are concerned about how companies are 
using our personal information; we want to be able to do business, 
but we also believe there should be some accountability. 

And they have turned to the courts and the State legislatures 
and the attorneys general, and even the counties, to get some pro- 
tection from privacy; and they are getting it because the American 
legal system allows the States to protect the interests of their citi- 
zens through law, through court decisions, through the efforts of 
the attorneys general. 

I think it is extraordinary that in North Dakota there was actu- 
ally a referendum on the question of opt-in and financial privacy, 
and a referendum in that State passed because people in that State 
feel very strongly about protecting the privacy of their financial in- 
formation. I think 10 years ago if you had said “opt-in” to anybody 
in North Dakota or anywhere else in this country, they would have 
no idea you were talking about privacy. That is how strongly peo- 
ple feel about this issue. 

Now the industry groups have come to Washington and they 
have said to you, in effect, we can’t take this avalanche of privacy 
concerns. We can’t face potential action in 50 different States. Of 



36 


course, they never stopped to think that consumers in the self-reg- 
ulatory environment face not 50 different privacy policies, but per- 
haps 500 or 5,000, because under the self-regulatory approaches 
that the bill endorses, companies are free to create whatever policy 
they wish. And every customer dealing with any company would 
have to consider each single interaction, what that policy means 
and whether it protects their privacy. 

So let’s look closely at the provisions in the bill and ask the ques- 
tion, Is what people across the country are being asked to trade, 
which are the rights and State laws and the aggressive action of 
State officials, a feir deal? 

The act provides no access to the personal information that is ac- 
quired by companies on customers, and being acquired by compa- 
nies on behalf of other companies. Acxiom, for example, is an ex- 
traordinary firm. I don’t mean to single them out, but they are here 
this morning. They provide what they call a 360-degree view of cus- 
tomers. They want to know everything about you. And they will 
make that information available not only to businesses like 
Citibank for e-mail solicitation, which the Wall Street Journal — the 
Wall Street Journal recently raised questions about; they also now 
make it freely available for the FBI to do intensive data mining on 
American citizens. Commercial information is now being provided 
by Acxiom routinely for criminal investigations. 

And I would like you to at least consider on this access ques- 
tion — perhaps you or members of your staff would make a request 
to Acxiom and ask them to provide you the information that they 
have about you and your family members, that they are providing 
to law enforcement and other businesses. 

There is nothing in the bill that prevents that current practice. 
There is no private right of action, of course, in the bill, which 
many of the witnesses here this morning are very pleased about. 
Because, of course, that means that there is no real accountability. 

Every single privacy complaint under this bill must go toward 
the Federal Trade Commission which even — even if it were more 
extensively staffed and really, you know, up to taking on individual 
consumer privacy complaints, couldn’t begin to address the range 
of concerns and issues that Americans have expressed about the 
privacy issue. 

And the bill provides no remedies to consumers. In other words, 
once consumers have gone through all the steps of the self-regu- 
latory program — of the appeal within the self-regulatory program of 
the complaint to the FTC, at best, the FTC might decide that the 
company is no longer eligible to be a member of the self-regulatory 
program. And in my opinion that is an inadequate remedy. 

I think we need real privacy protection. I think American con- 
sumers are asking for real privacy protection, and I think over the 
long term it will benefit American businesses and allow commerce 
both online and offline to thrive. But regrettably, I don’t think this 
is a bill that would do it; and I am sorry to say that because I know 
we have spent a lot of time on this one, and we would certainly 
like to see a bill that would provide that protection. 

So thank you very much. 

[The prepared statement of Marc Rotenberg follows:] 



37 


Prepared Statement of Marc Rotenberg, Executive Director, Electronic 
Privacy Information Center 

My name is Marc Rotenberg. I am the Executive Director of the Electronic Pri- 
vacy Information Center in Washington. I am on the faculty of Georgetown Univer- 
sity Law Center, where I have taught Information Privacy Law since 1990. I am 
co-author of a forthcoming casebook with Professor Daniel J. Solove on Information 
Privacy Law (Aspen Publishing). I have also recently been named chairman of the 
American Bar Association Committee on Privacy and Information Protection, though 
my comments today reflect only my views and not those of the ABA. 

I appreciate the opportunity to testify before the Subcommittee today on HR 4678, 
the “Consumer Privacy Protection Act of 2002.” I am well aware of the extensive 
work of the Subcommittee on privacy issues during this Congress. Therefore it is 
with some misgivings that I say to you today that this bill will have little support 
among consumer or privacy organizations, privacy experts, or the general public. 1 
In many respects it seems crafted to protect privacy violators from legal account- 
ability. On almost every key provision it favors industry over the consumer, the in- 
vasion of privacy over the protection of privacy. While it is true that is a sweeping 
measure in the sense that it applies to all data collection organizations, both off- 
line and on-line, the intent appears to be to insulate companies from any real ac- 
countability for what they might do with the personal information they acquire. 
Given the important tradition in the United States of safeguarding privacy as new 
technologies emerge, as well as the testimony provided by several witnesses on the 
need to protect privacy going forward, I can only hope that a better bill will be intro- 
duced in the future. 

“Protection of Individual Privacy in Interstate Commerce” (Title I) 

The substantive provisions of the measure are set out in Title I. Simply stated 
they require a company to adopt a privacy policy that can say virtually anything 
and can be changed at any point in time to say anything else. Under Title I of the 
Act, if a company states that it takes sensitive personal information and puts in on 
the Internet for all to see, it will be in compliance with the Consumer Privacy Pro- 
tection Act. A company can adopt a policy that states that it will zealously protect 
sensitive personal information, acquire customer data, then change its mind, and 
post it on the Internet. It too will be in compliance with the Consumer Privacy Pro- 
tection Act. 

There is an interesting section that attempts to limit the sale of personal data 
to third parties, but this provision is easy to defeat by simply offering the consumer 
a benefit, such as the service originally sought. A companion provision that seeks 
to limit “other information practices” is also almost meaningless because consumers 
will not have access to any relevant information to make an informed decision and 
even if they go to the effort of exercising this right, the company can exercise its 


1 The bill appears to ignore the testimony of every public interest advocate appearing before 
the Subcommittee. My own testimony of June 21, 2001 advocated a system of rights similar to 
the Cable Communications Policy Act of 1984, one that includes notice, opt-in, access, and a pri- 
vate right of action. Ed Mierzwinski’s testimony of April 3, 2002, on behalf of the US Public 
Interest Research Group, called for a law that incorporated a system of FIPs. Specifically, Mr. 
Mierzwinski testimony called for collection limitations, comprehensive notice, opt-in, guarantees 
of accuracy and security, no preemption, and a private right of action. Frank Torres’ testimony 
of April 3, 2001, on behalf of Consumers Union, broadly outlined current problems in HIPAA 
and the GLBA. Mr. Torres recommended comprehensive notice, full access and correction rights, 
and opt-in consent. More than thirty organizations across the political spectrum endorsed a set 
of principle at the beginning of this Congress on which to base federal privacy legislation: 

1. The Fair Information Practices: the right to notice, consent, security, access, correction, use 
limitations, and redress when information is improperly used, 

2. Independent enforcement and oversight, 

3. Promotion of genuine Privacy Enhancing Technologies that limit the collection of personal 
information, 

4. Legal restrictions on surveillance technologies such as those used for locational tracking, 
video surveillance, electronic profiling, and workplace monitoring, and 

5. A solid foundation of federal privacy safeguards that permit the private sector and states 
to implement supplementary protections as needed. 

Many good proposals from leading US academics were apparently also ignored. Professor Joel 
Reidenberg, testifying on March 8, 2001, said that the “United States is rapidly on the path 
to becoming the world’s leading privacy rogue nation.” Reidenberg recommended that the Con- 
gress promote the negotiation of a “General Agreement on Information Privacy.” As for public 
opinion, polls consistently find strong support among Americans for privacy rights in law to pro- 
tect their personal information from government and commercial entities. See EPIC, “Public 
Opinion and Privacy” (http://www.epic.org/privacy/survey/default.html) 



38 


right to “terminate its compliance with the limitation” on thirty days notice. (This 
section might be called the “Now you see it, now you don’t” privacy provision.) 

The Act would create policies for policies — a form of bureaucratic red tape for con- 
sumers — without ever giving a consumer access to personal information held by the 
company. Does a company have inaccurate information about you? You’ll never 
know. Does it discriminate against you because of confusion about names, incorrect 
addresses, or bad information provided by a third party? You’ll have no idea. There 
is nothing in the bill that even attempts to hold companies responsible for the accu- 
racy of their information on consumers. 

The bill places enormous confidence in self-regulatory programs. It imposes only 
the most modest obligations on these consulting firms. The generous eight-year cer- 
tification period for self-regulatory companies contrasts sharply with the thirty days 
notice provided to consumers about material changes in privacy polices permitted 
under the Act. This deference to self-regulation is extraordinary, considering not 
only that Truste continued to approve Microsoft even as its Passport service was 
found to violate the FTC Act, as well as the clear experience in this last few years 
of abuse stemming from industry self-policing. 

The Act noticeably creates no safeguards on disclosure of personally identifiable 
information to law enforcement agencies. In other words, individuals who provide 
information to businesses will have no protections against fishing expeditions by the 
police. Virtually every other privacy law in the United States sets out a Fourth 
Amendment standard to regulate police access to personal information held by third 
parties. The purpose is not to prevent law enforcement access or to frustrate crimi- 
nal investigations, but rather to ensure that when police go to a private business 
in search of information about customers or clients they do so with something that 
approaches probable cause or reasonable suspicion that a crime has been committed. 
Under the “Consumer Privacy Protection Act” there will be no new safeguards es- 
tablished to protect consumers from searches that might otherwise be overly board, 
intrusive or unlawful. Under this approach, video rental records will remain pro- 
tected under a 1988 Act, but there will be no similar protection for new services of- 
fered over the Internet or the extensive record of purchases and interests collected 
and maintained by Amazon. 

The Act forcefully creates no private right of action. This goes far beyond any rea- 
sonable concern about large damage awards. There are any number of alternative 
approaches that would preserve a private right of action. It is possible for example, 
to allow individuals go into small claims court and seek relief as they do currently 
and effectively under the Telephone Consumer Protection Act. Alternatively, the 
state attorneys general could be empowered to enforce rights created by the federal 
statute as others have proposed, or damage awards could be capped. The point is 
that there are many ways to make a private right of action work. 

The absence of a private right of action is all the more problematic because as 
the bill is currently structured there are no procedural rights for consumers who file 
complaints at the FTC nor are there any formal means of reporting or appeal if the 
FTC fails to act on a complaint. What happens, for example, if a drug company dis- 
closes the names of Prozac users on the Internet, a complaint is filed, and the FTC 
chooses not to act? It is clear that that the company’s action violates the FTC Act 
as the FTC has already found, but if the Commission chooses, for whatever reason, 
not to pursue the complaint, that is the end of the matter. This grants the agency 
unprecedented discretionary authority. 

Having constructed a bill that effectively provides no substantive rights for con- 
sumers, the Act preempts states that are seeking to provide greater protection to 
their citizens. It even preempts state common law which is an extraordinary step 
for the Congress. Has this Committee concluded that there should be no state rem- 
edies anywhere in the United States for breaches of privacy committed by an orga- 
nization that collects personal information? That would be an extraordinary assault 
on both the common law and our federal form of government. 

International Provisions 

The purpose of Title III is apparently to raise questions about the enforcement 
of the Safe Harbor Arrangement and other international agreements that the 
United States has pursued to support the protection of privacy. As currently drafted, 
the section asks the Comptroller General to review these various arrangements to 
determine whether such laws, regulations or agreements “result in discriminatory 
treatment of United States entities.” 

Members of the Subcommittee should realize that the Safe Harbor Arrangement 
addresses concerns that European governments have raised about privacy protection 
for their own citizens. Safe Harbor came about to assist US businesses who had com- 
plained that it would be difficult to comply with privacy law in Europe. The con- 



39 


cerns of European officials about US practices have been substantiated in the 
United States by both state attorneys general and the Federal Trade Commission. 
For example, European privacy officials raised concerns that the Microsoft Passport 
service violated European law, but it was ultimately the US Federal Trade Commis- 
sion that found that Microsoft violated Section 5 of the FTC Act. Earlier, European 
officials asked the Doubleclick company to modify its Internet advertising practices 
to comply with European privacy laws, but it was US officials who ultimately 
clamped down on the company’s plans for invasive profiling of Internet users. 

Do we really want to be in the position of objecting to the efforts of foreign govern- 
ments to safeguard the privacy rights of their own citizens when US officials have 
expressed similar concerns? This is not a wise or forward-looking policy. 

I’d also like to bring to the attention of the Committee the important role that 
the United States has historically played in helping to enforce international stand- 
ards for privacy protection. The Department of State, under both political parties, 
has supported the international human rights community by monitoring compliance 
with the International Covenant of Civil and Political Rights. The ICCPR includes 
a critical provision on unlawful surveillance and police practices that threaten polit- 
ical freedom all around the world. 

As the web site of the Department of State currently notes: 

The protection of fundamental human rights was a foundation stone in the es- 
tablishment of the United States over 200 years ago. Since then, a central goal 
of U.S. foreign policy has been the promotion of respect for human rights, as 
embodied in the Universal Declaration of Human Rights. The United States un- 
derstands that the existence of human rights helps secure the peace, deter ag- 
gression, promote the rule of law, combat crime and corruption, strengthen de- 
mocracies, and prevent humanitarian crises. 2 

Section 1, paragraph f in the annual report prepared by the State Department ad- 
dresses specifically “Arbitrary Interference With Privacy, Family, Home, Cor- 
respondence.” For example in the 2002 report on China, the State Department notes 
that: 

The Constitution states that the “freedom and privacy of correspondence of citi- 
zens are protected by law.” Despite legal protections, authorities often do not 
respect the privacy of citizens in practice. Although the law requires warrants 
before law enforcement officials can search premises, this provision frequently 
has been ignored; moreover, the Public Security Bureau and the Procuratorate 
can issue search warrants on their own authority. Authorities monitor tele- 
phone conversations, facsimile transmissions, e-mail, and Internet communica- 
tions. Authorities also open and censor domestic and international mail. The se- 
curity services routinely monitor and enter the residences and offices of persons 
dealing with foreigners to gain access to computers, telephones, and fax ma- 
chines. Government security organs monitor and sometimes restrict contact be- 
tween foreigners and citizens. All major hotels have a sizable internal security 
presence. 3 

Now I agree that the United States should look more carefully at some of the cur- 
rent international agreements that impact privacy, but the commercial agreements 
such as Safe Harbor, which are intended to safeguard privacy and facilitate trade, 
are the wrong place to start. I would urge the Comptroller General to consider 
whether such proposals as the Council of Europe Cybercrime Convention would vio- 
late the privacy rights of American citizens that would otherwise be protected under 
US law and the US Constitution. 4 That proposal, which some in the Administration 
continue to promote as if it were national law, even though it has never been intro- 
duced in the Congress let alone ratified by the United States, contains many provi- 
sions that deeply implicate American Constitutional values. 5 


2 Department of State, “Human Rights,” http://www.state.gOv/g/drl/hr/ (last visited September 
21 , 2002 ) 

3 Department of State, “China (includes Hong Kong and Macau),” http://www.state.gOv/g/drl/ 
rls/hrrpt/2001/eap/8289.htm 

4 Council of Europe Committee of Ministers, 109th Sess, Convention on Cyber-Crime (adopted 
Nov 8, 2001), available online at http://conventions.coe.int/Treaty/EN/WhatYouWant.asp? 
NT=185. 

5 See, e.g., id. Arts. 2-11 (requiring member country statutory criminalization of offenses such 
as hacking, the production, sale or distribution of hacking tools, and child pornography, and an 
expansion of criminal liability for intellectual property violations. The treaty’s intellectual prop- 
erty provisions significantly expand criminal liability for intellectual property violations and tilt 
copyright law away from the public interest: U.S. intellectual property law contains a delicate 
balance between the rights of intellectual property holders and the rights of the public through 
the First Amendment and the law of “fair use” of copyrighted materials, but the Cyber crime 

Continued 



40 


It is the Cybercrime Convention, not the Safe Harbor arrangement, that poses a 
direct threat to the interests of the United States and American citizens. It is that 
proposal that should be given careful scrutiny by the Congress. 

Conclusion 

This has been a difficult year on the privacy front. The country faces new chal- 
lenges after September 11. Even so, many of us have been heartened by the efforts 
of government officials to safeguard this essential American value. A secretive fed- 
eral court has spoken out against the misuse of the Foreign Intelligence Surveil- 
lance Act. The House leadership has taken strong stands on such issues as Carni- 
vore, TIPS, and video surveillance. The White House has indicated its reluctance 
to endorse a national identity card. The Federal Trade Commission has issued im- 
portant orders on Microsoft, Eli Lilly, and proposed a new rule on telemarketing. 
The state attorneys general have acted to protect consumers against egregious prac- 
tices that have led to the disclosure of medical records, financial information, and 
the misuse of student records. 

Even the President’s Critical Infrastructure Protection Board, charged with safe- 
guarding the nation against future terrorist threats said in the recent report on the 
National Strategy to Secure Cyberspace: 

The nation’s Strategy must be consistent with the core values of its open and 
democratic society. Accordingly, Americans must expect government and indus- 
try to respect their privacy and protect it from abuse. This respect for privacy 
is a source of our strength as a nation; accordingly, one of the most important 
reasons for ensuring the integrity, reliability, availability, and confidentiality of 
data in cyberspace is to protect the privacy and civil liberties of Americans 
when they use — or when they personal information resides on — cyber networks. 
To achieve this goal, the National Strategy incorporates privacy principles — not 
just in one section of the Strategy, but in all facets. The overriding aim is to 
reach toward solutions that both enhance security and protect privacy and civil 
liberties. 6 

This was an extraordinary statement coming from an organization tasked with 
protecting the country from cyber warfare and future acts of terrorism. Still, they 
seemed to leave little doubt that the protection of privacy could not be sacrificed 
even as the country works to strengthen cybersecurity. Certainly, there could be a 
similar commitment to protect privacy in less critical circumstances. 

Thank you for your attention. I would be pleased to answer your questions. 

Mr. Stearns. Thank you Mr. Rotenberg. I mean we have, we are 
interested in people that don’t agree with the bill obviously too. 
And so we appreciate your comments. 

I would ask unanimous consent to put in the record the support 
we have got, a letter from Acxiom and Computer Systems Policy 
Project and National Business Coalition on E-Commerce Privacy. 
Without objection, so ordered and we will make it part of the 
record. 

[The information referred to follows:] 


Convention criminalizes copyright infringement with no mention of fair use); id. Arts 16-22 (re- 
quiring participating nations to grant new powers of search and seizure to its law enforcement 
authorities, including the power to force an ISP to preserve a citizen’s internet usage records 
or other data, and the power to monitor a citizen’s online activities in real time — while including 
no provisions to protect citizens’ privacy. In the United States, the treaty requires the U.S. to 
authorize the use of devices like Carnivore, the FBI’s “Internet-tapping” surveillance system.); 
id. Arts 23-35 (requiring law enforcement in every participating country to assist police from 
other participating countries by cooperating with “mutual assistance requests” from police in 
other participating nations “to the widest extent possible.” This obliges American law enforce- 
ment to cooperate with investigations of behavior that is illegal abroad but perfectly legal in 
the U.S.). The Administration has stated that “The Convention will help us and other countries 
fight criminals and terrorists who use computers to commit crimes . . .” Promoting Innovation 
and Competitiveness: President Bush’s Technology Agenda, at http://www.whitehouse.gov/ 
infocus/technology/tech3.html. 

6 p. 43 (emphasis added). 



41 


ACXIOM 
Little Rock, AR 

August 1, 2002 


The Honorable Cliff Stearns 
United States House of Representatives 
2227 Rayburn House Office Building 
Washington, DC 20515 

I just want to take this opportunity to thank you for the hard work that you and 
your staff have put into coming up with a balanced approach to a key aspect of the 
privacy issue. Your work helps to ensure consumer privacy, while protecting the 
economy, by allowing the exchange if critical data while not compromising personal 
information. I believe that your legislation, H. R. 4678, weighs competing concerns, 
in an extremely difficult environment, and gives privacy advocates, the business 
community and regulators the capacity to work through many of the problems 
raised without undue burdens on the consumer. 

While we might recommend some adjustments, it does provide a workable frame- 
work that is fair and will not result in the curtailment of critical data flows that 
are essential to our nation’s economy. Without a doubt, a competing version cur- 
rently moving in the Senate will have broad, unintended ramifications that will ulti- 
mately hurt both consumers and businesses. 

Therefore, I want to express my support for H. R. 4678 and again thank you and 
your staff, particularly Ramsen Betfarhad, for the tireless effort given in crafting 
this balanced and effective piece of legislation. 

Sincerely, 


Charles Morgan 

Company Leader 


High-Tech Leaders Praise Stearns’ Privacy Bill; 
cspp says legislation “strikes the right balance” 

Washington — The Computer Systems Policy Project (CSPP), a coalition of CEOs 
from the nation’s leading high-tech companies, offered its support for bipartisan in- 
formation privacy legislation unveiled today by House Energy and Commerce, Trade 
and Consumer Protection Subcommittee Chairman Cliff Stearns (R-Fla.). 

“The issue of privacy is of paramount importance to CSPP members,” said Phil 
Servidea, vice president of government affairs for NCR and co-chair of the CSPP 
Networked World Committee. “The bill proposed by Chairman Stearns is a step in 
the right direction, offering a baseline of protection to Americans doing business 
both online and offline, as well as effectively balancing consumer and business inter- 
ests, and state versus federal jurisdiction.” 

“CSPP is grateful to Chairman Stearns for his thoughtful consideration of this 
complicated issue,” said Ken Kay, executive director of CSPP. “We look forward to 
continuing to work with Chairman Stearns and Congress on privacy legislation that 
protects consumer privacy in accordance to the principles supported by our member 
companies.” 

The goals of the Stearns’ legislation, the Consumer Privacy Act of 2002, are in- 
line with many of the principles for privacy legislation articulated by CSPP last 
year. The legislation applies to both online and offline transactions, builds on indus- 
try’s existing self-regulatory programs, establishes a national legal framework as- 
suring protection, and enables consumers to control how their information is used. 
It calls for Federal Trade Commission (FTC) enforcement and penalization for pri- 
vacy violations, as opposed to creating new opportunities for litigation. The legisla- 
tion would double existing FTC fines for such transgressions. Finally, the Stearns 
bill calls for organizations to implement security policies to prevent the unintended 
compromise of personally identifiable information. 

CSPP believes that consumers will be well served by a privacy protection regime 
that includes such industry best practices, vigorous FTC enforcement and baseline 
federal legislative protection. The CSPP companies have labored for several years 
at defining privacy risks and identifying legislative requirements. 

Founded in 1989, CSPP’s current members are: Michael S. Dell, chairman and 
chief executive officer of Dell and chairman of CSPP; Craig Barrett, CEO of Intel 
Corporation; Carleton S. Fiorina, chairman, president and chief executive officer of 
Hewlett-Packard Company; Christopher B. Galvin, chairman and chief executive of- 
ficer of Motorola; Louis V. Gerstner, Jr., chairman of IBM Corporation; Lars Nyberg, 
chairman and chief executive officer of NCR Corporation; Joseph Tucci, CEO of 



42 


EMC; and Lawrence A. Weinbach, chairman and chief executive officer of Unisys 
Corporation. 


National Business Coalition on E-Commerce and Privacy 

June 18, 2002 

Honorable Cliff Stearns 
Chairman 

Subcommittee on Commerce, Trade and Consumer Protection 

U.S. House of Representatives 

2227 Rayburn House Office Building 

Washington, D.C. 20515 

Dear Mr. Chairman: On behalf of the National Business Coalition on E-Com- 
merce and Privacy, we would like to take this opportunity to express our views re- 
garding HR 4678, the Consumer Privacy Protection Act of 2002. 

The Coalition is comprised of major U.S. corporations from diverse economic sec- 
tors that strongly support a balanced and uniform national policy pertaining to elec- 
tronic commerce and privacy. Our member companies are top competitors in the e- 
commerce marketplace and actively use the Internet to deliver goods and services 
to our customers. We are committed to ensuring the privacy and security of the in- 
formation gathered from our customers, both on-line and off-line. 

Mr. Chairman, we congratulate you on your leadership in successfully moving the 
privacy debate in a more positive and useful direction, and we thank you for your 
impressive effort in holding a series of important hearings on the various aspects 
of the privacy issue. 

As you know, the Federal Trade Commission has stated that there is no need for 
the Congress to pass general privacy legislation. While Federal legislation is not 
necessary at this time, this situation would change dramatically if the states begin 
to pass legislation. If Federal legislation becomes necessary to preempt a patchwork 
of conflicting privacy laws at the state level, then HR 4678 certainly represents a 
reasonable and measured step forward in the privacy debate for the following rea- 
sons: 

• By effectively providing a uniform privacy standard across the nation, HR 4678 

would avoid the danger of a fragmented e-commerce market, with all of the ulti- 
mately unworkable administrative requirements that would imply. The preemp- 
tion of state laws is absolutely critical to the continued growth of e-commerce. 
Having to adapt to as many as fifty different state laws would be enormously 
burdensome and would be a significant deterrent to the further development of 
e-commerce. 

• HR 4678 properly emphasizes providing notice of privacy policies to consumers and 

allowing customers to opt-out of having information about them shared with oth- 
ers. We believe that this represents a reasonable and practical balance between 
consumer rights to the privacy and security of their data and transactions, and 
the legitimate uses of information by business to improve the quality, efficiency, 
and cost effectiveness of products and services that consumers desire. And re- 
quiring companies to prepare and implement information security policies will 
help assure consumers that the information about them is secure. 

• HR 4678 recognizes the importance of treating all business-to-consumer informa- 

tion in a similar manner — regardless of whether the information is acquired on- 
line or off-line. As a general rule, business makes little distinction between in- 
formation that it gathers on-line as opposed to that gathered off-line. To treat 
these two types of information differently would result in significant adminis- 
trative burdens and legal liabilities — the costs of which business would be 
forced to pass on to the consumer. 

• HR 4678 avoids private rights of action and the potential for frivolous lawsuits. 

As the FTC has recognized, existing enforcement authority is sufficient to deal 
with most violations of privacy laws and opening the door to private rights of 
action would simply create an environment conducive to unnecessary lawsuits. 
The only qualification we would add is that we would like to see class actions 
expressly banned. 

• Finally, it is important that HR 4678 addresses the issue of foreign privacy laws, 

especially since such laws may effectively be barriers to free trade. Harmoni- 
zation of national privacy laws is essential if the free flow of information that 
benefits businesses and consumers alike is to be maintained. A thorough study 
of the consequences of foreign laws like the European Union Privacy Directive, 
as well as their impact on U.S. competitiveness, is a critical first step to fur- 
thering e-commerce in a way that is fair to American business. 



43 


By adhering to the principles outlined above, HR 4678 is, on the whole, a fair and 
balanced approach and the most reasonable alternative currently pending in the 
Congress. As you know, we strongly oppose other proposed legislation, S. 2201, that 
is not consistent with these principles, and we are unable to support any bill that 
goes beyond what is now contained in HR 4678. We look forward to working with 
you to further refine and clarify HR 4678 if Federal legislation becomes necessary 
(for instance, in order to preempt incompatible state laws or to regulate unscrupu- 
lous actors). 

We appreciate your willingness to work with us on this issue, and also very much 
appreciate the time your staff has taken to talk with us about this important sub- 
ject. If you have any further questions, please contact John Schall at (202) 756-3385. 

Sincerely, 


John Schall, 
Executive Director 


Susan Pinder, 

Chair 


Coalition Members: American Century Investments; AMVESCAP; CheckFree; 
CIGNA; Deere & Company; Dupont; Fortis, Inc.; General Electric; General Motors; 
The Home Depot; Investment Company Institute; Charles Schwab & Company; and 
Six Continents Hotels. 


Mr. Stearns. In this debate we are going to have a lot of people 
that support it and a lot of people who don’t. And I think everybody 
who is on this subcommittee, including the full committee chair- 
man, is on the bill except one. So these folks have a different ap- 
proach. 

So there is going to be a lot of debate here and we welcome that 
and we appreciate your comments. We may not necessarily agree, 
but we like to hear your comments. 

As all of you know there is a bill in the Senate, and what I would 
like to do is start from my left to right and say the bill that we 
have, which is H.R. 4678, how does it compare with the comprehen- 
sive legislative proposals in the 107th Congress. What I am trying 
to do through this hearing is establish a baseline so we can say 
this is what is good about the bill, perhaps this is where the con- 
troversy is; so then I can go back to those folks who don’t agree 
and be prepared to convince them to come on board and to show 
why they should. 

So perhaps you could help me with actually making a comparison 
of my bill with perhaps Senator Hollings, Fritz Hollings’ bill, and 
say what you are concerned about. Now, Mr. Rotenberg is going to 
say Mr. Fritz Hollings’ bill — he is going to praise it. But I would 
like to, if I could, to put you all on the spot and ask that you tell 
me this morning about my bill or that bill or any bill that is in 
Congress, how it compares and why ours is better or not from your 
standpoint, because then what I would do is take the coalition of 
people that support it and say why we think this is better. Is that 
possible for you folks to take a shot at? 

Mr. Palafoutas. If you want this, Mr. Chairman, you are going 
to get it. I happen to go back to Mr. Rotenberg’s comment about 
your bill and the private right of action, and I will just mention one 
thing about the Hollings bill. The private right of action does cause 
us a great deal of problems, and while there may be 

Mr. Stearns. And I am not here to — you know, on the House 
floor you can’t say anything negative about the Senate. You are 
called out of order. And I am not here to talk in a way that is nega- 
tive, but just to say that from a policy perspective that this is 
something we are concerned about and why, you know. And — all 



44 


seven of you are going to have a different opinion, but that would 
put on the record our sticking points, because Senator Conrad 
Burns over there is the ranking and he has supported the bill. So 
Republicans and Democrats are not going to agree on this, as I said 
earlier. 

Mr. Palafoutas. Well, I too am not going to say anything nega- 
tive about Chairman Hollings. I think one of the concerns — and I 
will pass the microphone down — is the private right of action. Mr. 
Rotenberg makes a good point about the Federal Trade Commis- 
sion, and I think the Federal Trade Commission is the proper place 
to do it. They may need some beefing up on this. I know some 
members of their staff are here, and I won’t say anything negative 
about the Federal Trade Commission either. But that is a concern 
for us in the bill, and we appreciate your bill puts the enforcement 
action in the bill. 

Mr. Servidea. Mr. Chairman, I am pleased to answer this ques- 
tion because I think until you decide what it is you are trying to 
regulate, what it is trying to legislate about, you basically have 
nothing. And I think the biggest single deficiency with respect to 
Senator Hollings’ bill is the fact that the scope is so narrow as to 
apply only to on-line transactions. I think to pass that kind of legis- 
lation would be disingenuous as far as the American consumer is 
concerned. American consumers’ personal data is their personal 
data. Doesn’t matter where it is, doesn’t matter how they released 
it, they should be protected. 

Unfortunately, at the very end of the day, Senator Hollings put 
sort of a Band-Aid kick-off to the Federal Trade Commission to 
study offline. But the bill is basically an Internet regulatory bill. 
That is the biggest deficiency, frankly, is the scope of the bill. Sec- 
ond, I would comment that there is more than one privacy bill in 
the Senate, and Senator Feinstein’s bill is an excellent bill. 

Mr. Schall. Mr. Chairman, I would point out that the National 
Business Coalition on E-Commerce and Privacy actually sent a let- 
ter of opposition to Chairman Hollings on S. 2201 and we would 
be happy to furnish that to this committee because it delineates 
our five points of opposition. I will mention them here. First of all, 
S. 2201 is confusing in that it really creates four different cat- 
egories of information: There is sensitive information, nonsensitive 
information, and there is not quite so sensitive information. I don’t 
know if anyone can make sense of those. 

Second, the point made already is online only. I think it is a dis- 
service to the American economy to only focus on what is 1 or 2 
percent of consumer transactions in the economy, and also keeping 
in mind the logistical problem that companies really don’t sort in- 
formation by where it comes from. 

The third point is that S. 2201 — and I don’t know if it is inten- 
tional or inadvertent, it really empowers ways to revisit laws exist- 
ing on the books in terms of GOB and HIPAA. I think — why, even 
some Democrat Senators on the committee — Senator Breaux raised 
some concerns about the bill. I am not sure one wants to take an 
on-line privacy bill, as S. 2201 would be, and have that revisited. 

The fourth point is really remedies. There is far too much private 
rights of action. We have concerns about the strict liability and liq- 
uidated damages provisions. 



45 


Last, the preemption provisions in S. 2201 are truly inadequate, 
and I would hope when the Senate Commerce Committee revisits 
it, it looks at the model this committee used in H.R. 4678, because 
the preemption provisions are so much more sensible in this bill. 

Ms. Whitener. I would like to go back to a letter that was sent 
by our CEO in his role as chairman of the Digital Economy Task 
Force, Business Roundtable, outlining some concerns with this par- 
ticular legislation, and I will just kind of summarize. 

The creation again of that new private right of action when sen- 
sitive information is compromised is considered unnecessary and 
will have many unintended and negative consequences. The provi- 
sion will open a Federal class action floodgate that will hinder fur- 
ther innovation by businesses that fear any change in their on-line 
information management practices will be met with lawsuits. S. 
220 l’s mandating opt-in for sensitive information could place im- 
proper burdens on consumers. Mandating opt-in may be intrusive 
and inconvenient and could remove opportunities for consumers. 

The legislation ignores the significance of providing consumers 
with effective and credible options to make informed choices re- 
garding the use of their information. S. 220 l’s access requirement 
will increase costs for businesses while reducing consumer informa- 
tion security. Though the provision mandates more consumer ac- 
cess to private records, the result could actually reduce consumer 
information security requiring simultaneous reasonable access, and 
security could increase identity theft and place obstacles in front of 
the companies desiring to take innovative security steps. 

S. 2201 inadequately preempts inconsistent State laws. The bill’s 
preemption language would only impact personally identifiable in- 
formation which is collected and used online. The legislation does 
not effectively address the problem of inconsistent legislation and 
legislation imposed by State governments in a meaningful way. 

S. 2201 on-line and off-line information collection is technically 
infeasible and economically unreasonable. Companies that digitally 
collect personal information will be held to a different and higher 
standard than those in more traditional businesses. The bill creates 
separate but unequal burdens and regulations, and conflicting pri- 
vacy standards particularly, in which consumer information is col- 
lected both online and offline. 

In summary, the Digital Economy Task Force of the Business 
Roundtable summarized the legislation to be fundamentally flawed, 
overly burdensome, and promises to impede technological innova- 
tion and electronic commerce, plus it will raise the cost of compli- 
ance and encourage endless litigation and force many of the most 
innovative traditional electronic commerce companies which are 
usually small businesses, to abandon the promise of a digital econ- 
omy. 

Ms. Barrett. Thank you, Chairman. I think there are seven key 
differences between your bill and the Senate bill, and I am not 
going to go back over all. Obviously the on-line versus — on-line/off- 
line nature of the bill. The second is the private right of action. The 
third is the preemption. And I think in preemption, we really do 
need to look at it both from the business community’s perspective 
as well as from the consumers’ perspective and how confusing it is 
for the consumer who works in one county and works in one State 



46 


and lives across the State line to deal with a myriad of privacy 
laws. The fourth is enforcement and self-regulatory efforts, which 
I commented on. The fifth is harmonization with other laws where 
we have specific laws recently enacted. 

Mr. Stearns. Particularly with international. 

Ms. Barrett. International, health care, financial services, chil- 
dren, the list goes on and on. And I think it is critical that we rec- 
ognize the appropriateness of those laws. 

The notice and choice provisions of your bill do work in an on- 
line and off-line environment. And I think it is important that we 
look at notice and choice across mediums. I don’t think we can sit 
here today and foresee where technology will take us and what new 
mediums we may be dealing with. And when we look at legislation 
which is specific to one medium, I think we have serious unin- 
tended consequences down the road when the technology changes. 
And the last is the access provision which I commented on in my 
testimony. 

Mr. Misener. Mr. Chairman, I agree that the biggest concern 
with where S. 2201 began was with the focus exclusively on on-line 
transactions. And then in April’s hearing, at which I also testified, 
I believe the committee frankly was moved by some of the testi- 
mony which described how the bill would only touch 1 or 2 percent 
of consumer transactions and could do nothing for those on the un- 
fortunate side of the digital divide. 

By the end of the hearing, every member of the committee had 
spoken in favor of looking at off-line privacy as well. So I would 
like to think that there is movement to sort of coalescing around 
an agreement which incorporates a holistic view of consumer infor- 
mation privacy. 

Mr. Rotenberg. Mr. Chairman, I think it is important to under- 
stand first of all that Senator Hollings’ bill in the 107th Congress 
S. 2201, is very different from the bill in the 106th Congress, and 
that a lot of progress was made to try to resolve some of the dif- 
ferences between consumer groups and business. And, frankly, we 
agreed to a lot of things which I felt was possibly going too far on 
many of the key issues. 

On the opt-in issue we said maybe for most transactions opt-out 
was more sensible if it could be made to work. On the private right 
of action we recognized that there had to be some limitations. And, 
frankly, we are not in favor of creating a private right of action 
that enriches lawyers. We would much rather see consumers’ inter- 
ests protected, and that is the issue that we focused on. On the pre- 
emption issue there was also some effort to allow some action for 
States, and at the same recognizing a need for national standards. 

So my sense about S. 2201, in fact it was a sensible compromise 
where both sides gave up something — and I am trying to figure out 
on the spectrum where we would put 4678. It seems to be the 
counter position from the Hollings bill in the 106th Congress. 

Mr. Stearns. That is how you would put it in the spectrum? 

Mr. Rotenberg. Yes, sir, I think I would. Because as I said, 
there are two very different bills that have come out of that com- 
mittee, and the current one is not the one that was in the previous 
Congress. The other point 

Mr. Stearns. Do you support the one in the 106th? 



47 


Mr. Rotenberg. Yes. 

Mr. Stearns. That was better from 107th? 

Mr. Rotenberg. From a privacy viewpoint, yes. It gave more 
rights to consumers. The bill that was reported out of the Senate 
Commerce Committee, as I said, was significantly scaled back. It 
did not include a lot of the provisions. 

Mr. Stearns. But your organization supports the Senate bill. 

Mr. Rotenberg. Well, I testified on that bill, and I think we said 
largely that it could be made to work. 

Mr. Stearns. With some minor changes, you would support, your 
group would support that bill. 

Mr. Rotenberg. I think if enforcement is serious and there is a 
cooperation on both sides, it could be made to work. But it is a very 
different bill from the one we were looking at a couple of years ago. 
The other point 

Mr. Stearns. Do you think he should have dealt with off-line 
and on-line privacy the same? 

Mr. Rotenberg. This is the point I wanted to get to. And I have 
to say as the debate has progressed, I think the case has been 
made particularly well, you know, on this side that off-line does 
need to be addressed. And I think in this respect, you know, the 
Senate bill probably does come up short, and I imagine from the 
business perspective it doesn’t seem like a sensible distinction. 

I have to say our concern on the Senate side is that many who 
said, if you are going to pass a privacy bill you need to do both, 
was that the people who took that position really didn’t want a pri- 
vacy bill. And my view is if you are going to take the position you 
need to do both, I think you have to be prepared to back the bill. 
You can’t say let’s make the problem so large we can’t solve it. 
That is not an approach to finding a solution. 

Mr. Stearns. Mr. Schall mentioned two local communities in 
California now have passed privacy bills. Are you concerned about 
the balkanization in this country — different States and commu- 
nities having different thoughts? 

Mr. Rotenberg. I am primarily concerned about the protection 
of privacy in America. And what is extraordinary to me is how 
hard people across this country are working to protect their pri- 
vacy. I haven’t seen an issue in the last 10 years that has gen- 
erated this type of activity at the local level. And I think that 
should send a message to the Congress that people want a strong 
bill. 

Mr. Stearns. I thank my colleague for his patience and recognize 
the gentleman from Virginia. 

Mr. Boucher. Thank you, Mr. Chairman, and I want to express 
my appreciation also to the witnesses who testified today. You have 
prepared thoughtful testimony and you have delivered it well and 
we appreciate your contributions to this ongoing discussion. 

I want to direct my question to the international provisions that 
are contained in the bill and get the views of witnesses with re- 
spect to those. Several years ago there was a carefully negotiated 
safe harbor achieved between the United States and the European 
Union. It was designed to enable the continued flow of data be- 
tween the European operations of American companies and their 
American operations, notwithstanding the fact that American law 



48 


does not contain the formal privacy requirements that are extended 
by the European Union, which has very thorough privacy guaran- 
tees, well beyond what American law provides and beyond in fact 
what this bill provides. 

It was a carefully negotiated agreement. Many Members of the 
U.S. Congress were involved in the discussions that led to that 
agreement. In fact, Mr. Goodlatte and I, the co-chairs of the Con- 
gressional Internet Caucus, testified before the European Par- 
liament at one point, urging support for and implementation of the 
safe harbor. And it was implemented. I am sure our testimony had 
little to do with that result, but we were very pleased when that 
result was achieved. 

My general reading is that this safe harbor arrangement has 
been working well, and we now have more than 240 American com- 
panies that have registered under it and have agreed to the condi- 
tions that are contained in the safe harbor. And I think people on 
both sides of the Atlantic are relatively pleased with the results of 
that arrangement. 

The last thing that I would like to see is something contained in 
this bill, were it to achieve passage, to adversely affect the safe 
harbor arrangement. And I would like your views about whether 
or not these international provisions might do that. The inter- 
national provisions are designed to address the concern that some 
companies have voiced that there are other European policies that 
have a discriminatory effect with respect to American companies 
that adversely affect American companies in comparison with their 
European counterparts. Some have suggested that some of these 
European policies are intentionally designed to favor the European 
companies, that these are not inadvertent consequences of the im- 
plementation of the European policies. 

So there is a level of concern about this discriminatory effect on 
the part of some American companies. That concern has been re- 
flected in the international provisions in this bill, which are quite 
explicit about what American agencies are supposed to do in the 
event that the U.S. Administration finds that there is a discrimina- 
tory effect. And point in fact: At one point the bill even says that 
no Federal agency may continue any action to enforce even agree- 
ments that the United States has entered into if those agreements 
lead to some discriminatory effect. 

Now, bearing in mind that the safe harbor arrangement continu- 
ation depends entirely upon the voluntary willingness of the Euro- 
pean Union to continue it, I am wondering how irritating you think 
this provision might be and whether it might at some point — would 
lead the European Union to suggest that 

Mr. Stearns. Will the gentleman yield? 

Mr. Boucher. Let me just finish the question and then I will 
yield. — to suggest that perhaps if we are going to behave this way, 
we are going to have some different view of whether the safe har- 
bor ought to be continued. 

I would be happy to yield. 

Mr. Stearns. I am going — we are going to take a 5-minute 
break. I have to make one call and a lot of the members haven’t 
come in. We don’t have votes until late tonight. We are going to 



49 


take a 5-minute break and we will be right back and that will give 
you a chance to ponder his question. 

[Brief recess.] 

Mr. Bass [presiding]. Sorry for the momentary interruption. We 
are all playing musical chairs. The chairman had to go down to 
make an opening statement. I am not sure he mentioned that. If 
he did, we certainly apologize for the interruption, and I would con- 
tinue to preside until he runs. My understanding is that Mr. Bou- 
cher asked a question and we were waiting for a response. 

Mr. Boucher. Mr. Palafoutas, let us begin with you. 

Mr. Palafoutas. To say we have a concern is to say just that, 
and the bill recognized that, in that the Secretary of Commerce has 
the responsibility, if the bill is enacted, to see if this harmonizes. 
Our concern is predicated in some respect on the meeting Chair- 
man Stearns had with the privacy officers of the EU back in Janu- 
ary. And they have a different view of what is going on in terms 
of privacy. And as you mentioned, I think the number is 242 com- 
panies have signed up under the directive, and we are not sure 
how the Europeans will respond. From our standpoint we just don’t 
know. I am sure others have other opinions. 

Mr. Boucher. When you say you don’t know, let me plumb that 
a little more deeply. Are you a little bit apprehensive if we enact 
this provision into law that the Europeans could potentially re- 
spond by being less interested in the continuation of the safe har- 
bor provision? It is purely voluntary on their part. 

Mr. Palafoutas. Yes. 

Mr. Servidea. I think to start out, I would say, yes, we do share 
the concern that perhaps it could disrupt what we think is prob- 
ably an arrangement that is working well at the moment. As you 
pointed out, there are over 240 U.S. Multinational companies who 
have decided to voluntarily certify into safe harbor. And I think we 
have to start from the premise that the European governments 
have certainly the right to protect their individual citizens’ privacy 
just as you do, you know, U.S. Citizens. And we can do that with 
them under individual legal contracts with each of the data protec- 
tion ministries or we can do it under the Safe Harbor Agreement. 
The Safe Harbor Agreement happens to be a much more efficient 
way to do that instead of having to deal with 15 different data pro- 
tection directives on perhaps a very specific — sectoral-specific con- 
tracts. We can certify under the safe harbor to all of that and have 
the U.S. Regulatory agencies being the enforcement mechanism. 
We think it is working well and we would not like to see it dis- 
rupted. We think sections 302 and 303 possibly could do that. Sec- 
tion 304, which calls on the Secretary of Commerce to work on har- 
monization, we think is probably worthwhile. 

Mr. Boucher. I share the view you have expressed, and I would 
hope as we examine these provisions once again in anticipation of 
enacting the measure during the next Congress, we could revisit 
these international provisions. And if you would be so good perhaps 
as to communicate this view somewhat more persistently during 
the drafting process, I think that would be beneficial to all parties 
concerned. 

Mr. Schall. 



50 


Mr. Schall. I am glad you brought up the international provi- 
sions, because I think the whole international question is impor- 
tant to this debate and you should be commended for your leader- 
ship with our European counterparts on this issue and also for 
going the extra mile with some of our companies in talking through 
how some of this works. 

With respect to the safe harbor — and I must say over the course 
of the history of the National Business Coalition on E-Commerce 
and Privacy, we have had some companies who are in the safe har- 
bor — lots of companies who decided not to be in it. What we are 
concerned about is there is a level playing field between us and the 
Europeans. And I think that is why the call for the study in here 
is probably worth doing. In fact, it is sort of perhaps surprising 
that a study of this sort wasn’t done before when we first entered 
into the safe harbor during the previous administration. 

Clearly, we all need to remember you are dealing with a whole 
different culture over there in terms of both enforcement and litiga- 
tion, much more haphazard enforcement on the European side than 
we see over here, and a very important distinction in the litigation 
culture where, by and large, loser pays over there. Tremendous dis- 
incentive to bring lawsuits. Obviously, we don’t benefit from that 
approach over here. Perhaps if we did, we would have a different 
view. 

A lot of the companies decided not to pursue the safe harbor, 
hoping that model contracts would end up being better, and then 
we of course subsequently discovered that the model contract that 
the Europeans decided to draw them out were not better, in fact 
were worse, and you have been a part of that discussion as well. 

I would, however, share your concern with the particular provi- 
sion in this bill that has Congress dictating to the Secretary of 
Commerce on how to enforce those provisions. I think that would 
probably raise a constitutional concern, so I think that is worth 
looking at, though I think the study itself would simply benefit ev- 
erybody. 

Mr. Boucher. Anyone else care to comment on that? 

Ms. Whitener. I won’t restate some of the comments made here. 
I would like to point out in section 304 we believe the approach is 
on target. Again, some of the issues that have been raised we cer- 
tainly do feel would warrant perhaps some additional discussions. 
But in general, we believe that businesses should have the freedom 
to operate globally under harmonized laws, and if you have proc- 
esses that leave a door open for a claim of inadequacy, that it does 
little to promote e-commerce. 

Mr. Boucher. Section 304 just deals with the general efforts to 
provide notice to other countries about problems that we have and 
generally would be in pursuance of harmonization. That is not the 
more troubling section that actually would inhibit enforcement of 
agreements we already have in place. Anyone else care to com- 
ment? 

Ms. Barrett. I would like to say I am commenting on behalf of 
Acxiom and not the three companies that I testified. Acxiom is a 
member of safe harbor, and we do business in almost all of the Eu- 
ropean countries and have found it to be extremely beneficial in fa- 
cilitating relationships both within Europe — global companies 



51 


working with information flows across those borders. We certainly 
would not want to approach any kind of study with a “let’s find 
problems” kind of attitude. If it is a balanced study and it does get 
to the facts and identifies any issues or any problems that exist, 
we think it might be very appropriate. But we need to be cautious 
about the tone in which we approach it. 

Mr. Boucher. I think we agree, and I detect a consensus every- 
where and I share this, that we ought to have the study provisions. 
The real troubling provisions are those that would inhibit enforce- 
ment of agreements already in place, and perhaps we could do 
without that, while promoting harmonization and promoting a 
study of the effect the policies that Europe has with respect to 
American companies. And if there is discriminatory effect, we 
ought to talk about it and try in a persuasive way to remedy those 
problems. 

Thank you very much for your comments on this. Mr. Chairman, 
I don’t have any other questions. Let me simply say — the other 
chairman is not here, but let me again say that I think Mr. Stearns 
has done an outstanding job in plumbing the depths of a very com- 
plex subject. The hearings he has held are unprecedented in our 
Congress on the question of privacy assurance. We have built a tre- 
mendous committee record on this subject and I think we are ready 
to act in the next Congress. And with the support of those at this 
table and with good consultation from those who may not agree 
with all of the provisions, Mr. Rotenberg, hopefully in the next 
Congress we can achieve the enactment of a measure that assures 
for American consumers greater privacy protection. 

Mr. Bass. Thank you, Mr. Boucher. I am sure that the other 
chairman will appreciate your kind remarks. 

I was wondering if each of you could comment on the 
cybersecurity provisions of the bill. 

Mr. Palafoutas. The short answer is we appreciate those provi- 
sions and we think that they need to be in the current form, be- 
cause people are concerned about the things that come up about 
their identity and the security of personally identifiable informa- 
tion. So from my company standpoint, these provisions are good. 

Mr. Servidea. I will take a pass on that, if I can. 

Mr. Schall. We are glad there is a security component in the 
bill. You know, it is funny; we all bandy about the word “privacy” 
in this debate. But in a very real way, privacy is a misnomer, in 
that in the most fundamental sense this is a debate about data 
management and security. And I think a lot of the concerns that 
real people genuinely have when they think in the world of privacy 
are really security concerns about their data, how it is stored, and 
how it gets used. 

So I have to commend Mr. Stearns and the staff and the mem- 
bers for putting in a security component in the bill, because in fact 
I think the terms do get conflated in some sense, and it is impor- 
tant to realize that a lot of what we talk about when we are talking 
about privacy, we really mean security. And for there to be a secu- 
rity component in the bill I think draws it out in a very important 
way. 

Ms. Whitener. Well, certainly in the testimony that I gave, I 
sort of concentrated a little bit on this area of security — because, 



52 


again, in viewing the importance of security, it is critical — is the 
underlying actual foundation of being able to enable your privacy 
policies. We work together with clients when we are looking at se- 
curity, and we are looking at privacy issues certainly to look at the 
security in place, and it is critical. 

We believe that what is built into this bill from the standpoint 
of the development of a policy, that consideration of a policy and 
the approval of the policy by senior management is also very crit- 
ical because that does raise the awareness to the levels at which 
a company can begin to realistically assess the risk associated with 
the security within the organization and begin to make decisions 
about generally the costs and the benefits and how to mitigate the 
risk and to how to best absorb the risk, transfer the risk, or how 
to deal with it just as any other business risk. But it is critical that 
senior management understand and appreciate the risk that secu- 
rity brings to their organization, and so we certainly support that. 

We also support the fact of a designation of someone within the 
organization to have that as a responsibility. As I mentioned, many 
organizations have someone within their IT or within the organiza- 
tion that has either a part-time or some role centered around secu- 
rity. But it is very important within a company for there to be a 
channel, a point person for when there is an incident; that someone 
knows who to go to to report it to, and someone who has ultimate 
accountability for the security programs. So we are in support of 
the security that is within this bill. 

Mr. Stearns. I don’t know — I guess — let me ask Mr. Rotenberg 
a question. You mentioned something about the sharing of informa- 
tion dealing with law enforcement agencies. And is there any prohi- 
bition dealing with marketing information? 

Mr. Rotenberg. I am sorry? 

Mr. Stearns. In other words, you are concerned and want that 
there should be more prohibition in dealing with law enforcement 
agencies. You mentioned Acxiom and how they are sharing their 
information. 

Mr. Rotenberg. I didn’t say prohibition, Mr. Chairman. In my 
testimony I tried to explain that typically what is done in a privacy 
law is to create a fourth amendment standard, so if there is prob- 
able cause or reasonable suspicion, the police will get access to 
records that are held by the business. And I think that is the ap- 
propriate standard and that is the traditional standard. There is — 
my concern here is that first of all there is no standard for law en- 
forcement access in the bill. 

Mr. Stearns. You would like us to incorporate some standard, 
then? 

Mr. Rotenberg. Yes. As I said, it could be borrowed from almost 
any privacy law. It is done in everything from video rental records 
and e-mail to cable subscriber and financial that could be done 
here. 

Mr. Stearns. I guess Acxiom — maybe your comment, too, about 
what he just suggested. 

Ms. Barrett. Well, we certainly agree that the use of informa- 
tion by law enforcement when it is warranted cause is appropriate. 
And I am speaking on behalf of Acxiom. We do not believe that, 
you know, law enforcement should have unfettered access to all 



53 


kinds of commercial information, nor do we provide or participate 
in such practices. 

Mr. Stearns. Mr. Bass, would you like to 

Mr. Bass. One last question briefly. How will the provisions of 
the bill that we are deliberating on relate to provisions passed in 
Gramm-Leach-Bliley and other privacy-related aspects of HIPAA? 

Mr. Servidea. I think the bill does a pretty good job of specifying 
that the existing legislation that deals with specific sectors such as 
health care and financial services, that those bills take precedence 
over this bill. And I thought that the statement of the, if you will, 
preemption of those bills was pretty explicit and the list is pretty 
thorough. So — and we support that. 

Mr. Bass. Any other comments? 

Thank you, Mr. Chairman. 

Mr. Stearns. The gentleman from Oregon. 

Mr. Walden. Thank you very much, Mr. Chairman. I wanted to 
ask, following up on Mr. Palafoutas’ testimony, this issue of the EU 
safe harbor provisions, can you give me a little better under- 
standing in terms of what we might need to do in this bill to make 
that work? 

Mr. Palafoutas. As we discussed before, ours is a concern about 
the EU and their response to this particular bill. I think it is a 
matter that we want to rise to the level of conversations with mem- 
bers of the privacy officers and the various customers to see how 
they react to that, because it is a problem in that there is uncer- 
tainty there. And that is the only problem there is the uncertainty. 

Mr. Walden. Do you think you can get over that issue? What 
does it take to get over that? 

Mr. Palafoutas. I think the bill provides for some of that, with 
the Secretary of Commerce taking a look at this. And even prelimi- 
nary discussions, the chairman has had these discussions in the 
past with the DPAs. I have had them in here in January and we 
had some pretty open discussions at that time. They are willing to 
talk about it because this is of great importance to them, although 
they have a different perspective on privacy from what we do in the 
United States. 

Mr. Walden. Anyone else want to comment on that issue? 

Mr. Servidea. I would like to say that Congressman Boucher 
really kind of hit the nail on the head. Certainly a study, an effort 
to determine where we don’t have harmonization, could be valu- 
able. I think the difficulty with this is that it kind of puts down 
the gauntlet and says if we can’t get harmonization, then we are 
going to stop enforcing the Safe Harbor Agreement. And I think 
throwing down that gauntlet is extremely unfortunate. So I would 
suggest taking out that provision of the bill which is section 303, 
would be very helpful and probably would avert a problem with the 
European Union, and God knows we have enough problems with 
those folks already. This seems to start us down the road of where 
we went with FSC. We put the threat down and then it just be- 
comes increasingly a problem. And I think for most American cor- 
porations right now, safe harbor is a working option and we would 
not like to see it disrupted. 

Mr. Schall. If I could jump in there, I think one thing important 
not to lose when we are looking at how we interact with the EU 



54 


is some sort of holistic approach of how this comes together. And 
I think that is what is to be credited in this bill in asking the GAO 
to look at it, because we have only ever looked at pieces. The 15 
major companies in my coalition, all are multinational and almost 
all deal in Europe, including actually America’s biggest employer in 
Europe, General Electric. Because of the difference in the enforce- 
ment culture, because of the difference in the litigation culture 
where loser pays over there, it is a very different environment. And 
I don’t think anybody has walked through yet how those dif- 
ferences impact our companies in operating with that data. 

And also remember, too, we only ever looked at a piece of it. Safe 
harbor which frankly has not really been huge companies — 240 
companies is obviously much fewer than the Department of Com- 
merce would have ever predicted and many fewer than the Euro- 
peans would have hoped, you know; even safe harbor doesn’t in- 
clude financial services companies that are still hanging out there 
because the Europeans refuse to accept the fact that Gramm- 
Leach-Bliley as passed by the Congress and signed by the Presi- 
dent is American law and ought to be deemed adequate for EU 
purposes. So there are always still financial companies still hang- 
ing out there. They don’t have a safe harbor to go into. And I have 
both financial and nonfinancial companies in our coalition. I think 
what is important not to lose here is the bill, asking someone let 
us finally do this work that we probably should have done 4 years 
ago that tries to get a holistic look and evaluation of this situation. 

Mr. Walden. Anyone else have a comment on that? Mr. Schall, 
can you explain your understanding of what is being considered in 
San Mateo, California, and is this permissible under other privacy 
laws such as the privacy protections within Gramm-Leach-Bliley? 

Mr. Schall. What we see happening in California right now, San 
Mateo County and Daly City have already both passed their own 
separate opt-in privacy laws. They took us a model bill that was 
in the California legislature statewide and did not pass in the Cali- 
fornia assembly. So these local jurisdictions have begun to pass it. 
Actually five other counties and cities in that area will do so in the 
coming weeks. Those bills actually differ from one to the other, 
even though they are generally sort of similar in opt-in, but they 
have different remedies, different enforcement provisions. 

Actually it is an interesting situation. Daly City is in San Mateo 
County and San Mateo County passed a bill and then Daly City 
passed a bill and they are not identical. What we see is now with 
the potential of who knows how many local jurisdictions passing 
conflicting privacy laws, I don’t know how you comply with that. 
Certainly there is a court challenge already to those under both the 
National Bank Act and the Fair Credit Reporting Act. I think the 
Fair Credit Reporting Act challenge is a strong one, but the Fair 
Credit Reporting Act would only apply to sharing with affiliates so 
it would not — even if it was found valid by the courts — would not 
throw out the entire law. And I think because of that, what you 
are going to see is a lot of these popping up. 

I think under recent Supreme Court rulings you would have to 
come to the conclusion that Gramm-Leach-Bliley may well not pre- 
empt them. Unless there is a specific prohibition on jurisdictions 
within States, then you probably haven’t preempted locals from 



55 


doing that. I think now we have this situation and I think that is 
frankly why we are going to need a bill because you have already 
seen some localities passing bills. 

Mr. Walden. Given — do you believe that this bill’s provision’s 
banning private rights of action and preempting State action can 
be interpreted to permit or allow class action lawsuits in States? 

Mr. Schall. Right now? 

Mr. Walden. No. Under this legislation. 

Mr. Schall. I don’t see anything under this legislation, on the 
advice of counsel — and perhaps others know better — I don’t see 
anything in this legislation that changes what is existing private- 
rights-of-action State AG authority under existing mini-FTC acts 
passed by each of the 50 States and District of Columbia. I don’t 
think anything here changes what is already existing in terms of 
what can be done at State and local levels in terms of enforcement 
under mini-FTC acts. 

Mr. Walden. That is all the questions I have. 

Mr. Stearns. I thank my colleague. Let me just before we wrap 
up, just touch a little bit, Greg, on what you just talked about, 
which I think is going to be the hard fight, because you have a lot 
of policy decisions but then you come down with one or two polit- 
ical ones. And this banning the private right of action and preempt 
State action is going to be the political fight, because there are peo- 
ple who fundamentally think they should be able to go to the Fed- 
eral courts and be able to sue. And so that might be an area where 
we are going to have to find some kind of compromise to get this 
through. As you know, with a political consensus issues work 
through themselves successfully and that is why we have the ballot 
instead of the bullets. So it is really a remarkable process so I am 
very sensitive to that. 

I guess a question, Mr. Schall just touched on — I will go back to 
you — if we have in the bill this banning private right of action and 
preempting State action and maybe someone else — Mr. Rotenberg, 
you can help me out, too — would that eliminate class action suits 
at the State level? Could that eliminate all possibilities of States 
attorneys general getting together and working to do something? I 
am not a lawyer, but it would seem to me that we are trying to 
keep it on the State level and not on the Federal level. But there 
might be ways for attorneys general in class action suits to get to- 
gether. 

Mr. Rotenberg, let me have you start, because you are probably 
more supportive of this. 

Mr. Rotenberg. I appreciate your comment, Mr. Chairman, and 
I really do want to emphasize that my position and the position of 
the privacy community generally is not to enrich lawyers. 

Mr. Stearns. Oh, no. 

Mr. Rotenberg. And I want to make sure how strongly we be- 
lieve this. I went up to New York to participate in a Federal Court 
proceeding as an intervenor to object to a settlement in a case 
where the lawyers were getting paid and nothing was being pro- 
vided to the consumers for a breach of privacy, and I said to a Fed- 
eral judge I thought this was not appropriate. So I would look for 
approaches that address the concerns of the business community 
about not being exposed to class action liability. I think you know 



56 


the opportunity under the Telephone Consumer Protection Act, for 
example, which allows people to get damages of $500 if they go 
through all the steps of notifying the company first and then going 
to small claims court is not about approach for privacy issues. And 
I think there are also ways in terms of the State attorneys general 
to allow them to enforce rights set out under Federal statute, 
which was the approach that was ultimately settled upon in the re- 
vised Hollings measure. 

So I think there are ways here in the middle area to address con- 
cerns on both sides, but I believe very strongly the flat prohibition 
on private action joined with this very strong preemption is really 
shutting the door on privacy claims. 

Mr. Stearns. Well, I am sensitive to that. We have this and we 
support it, but I am looking for possibilities, if I can get a markup 
out of my subcommittee and get it to the full committee. I mean, 
to get a lot of the Democrats on board is going to require some com- 
promise in that area, and I see that as one of the problems, early 
on problems, so any solution that you have. 

Mr. Schall, I will let you answer first. 

Mr. Schall. Well, I am glad Mark Rotenberg and I agree that 
this should not be a trial lawyers enrichment act. As we read the 
bill, there is nothing in your bill that bans class actions. So no, 
they would not 

Mr. Stearns. They could go to the States? 

Mr. Schall. Absolutely. And that point is definitely worth un- 
derscoring. States still have the opportunity to act under this bill 
through mini-FTC acts that have been passed by all 50 legislatures 
and the District of Colombia, and indeed if States want to go back 
and revisit mini-FTC acts that they passed, they are free to do that 
as well. So State attorneys general have the ability to act in pri- 
vate rights of action at local levels. 

What this bill does not do, and I think exactly is the right deci- 
sion, is not create some new Federal private right of action for this 
bill, leaving the enforcement authority to the FTC where I think 
it legitimately belongs. So nothing in this bill changes what is al- 
ready there in terms of class actions and State attorneys general 
under mini-FTC acts. 

Mr. Stearns. Mr. Misener. 

Mr. Misener. Mr. Chairman, we have testified on a number of 
occasions that we oppose private rights of action in this new kind 
of a privacy law. And certainly we would also oppose class actions. 
To us it is a subset of private rights as a specific type of action, 
and we ought not have newly granted private rights under this 
kind of a bill. This isn’t though, however, a traditional case of busi- 
nesses just being afraid of the trial bar and issuing any kind of pri- 
vate rights for fear of large judgments and that sort of thing. It 
really goes to the ultimate goals of this legislation. And it seems 
to me that the ultimate goal is giving consumers informed choice 
about their private information: what they have done with it, 
where they provide it, where it goes thereafter. And that kind of 
informed choice relies on information and having the consumer 
truly be informed of what is going on. 



57 


I think it would be easy for companies, responsible companies 
like the ones that come and testify before your subcommittee, my 
company certainly, to write a very thorough legalistic privacy no- 
tice that would withstand any kind of a private challenge. It would 
hold up and it would be 5, 15, 20 pages long, small type, and all 
those sorts of things, but the fact of the matter is consumers will 
never read that. What they want to read is something really clear, 
bullet points, couple pages long, that is understandable and in 
English. 

Mr. Stearns. Or their lawyer can read. 

Mr. Misener. And so I guess our concern, Mr. Chairman, is if 
we are subjected to the class action bar, to the plaintiffs bar in 
general, what we will find is that companies will back off and make 
their policies a lot less readable for the sake of legal defensibility. 
It seems to me a public enforcement mechanism, such as through 
the Federal Trade Commission, could take into account those com- 
peting goals of precision and readability. 

Mr. Stearns. Anyone else wish to comment on that? I will close 
with asking each of you perhaps just the cost of implementation of 
H.R. 4678; you know, do you see any large costs for implementation 
of this bill? And you might just say what you would foresee if you 
had to implement the one on the Senate side, just to give me an 
idea of some — I don’t know if you can quantify it, but you might 
be able to speak in broad terms — is this going to cause an enor- 
mous additional cost for you and your companies? 

Mr. Palafoutas. As you know, Mr. Chairman, the most visited 
Web sites already have a clearly defined privacy policy and do all 
that they can to protect consumers’ privacy. I think in terms of cost 
to the companies, I don’t see a great cost. I think it is of great im- 
portance to consumers that they do this certainly across State 
boundaries; and that is the biggest thing that this bill does, just 
to make it seamless. You take a look at the local municipalities — 
now the States, consumers can have certainty on interstate com- 
merce. This is going to continue. The one big cost that consumers 
talk about is they want a free Internet. We don’t talk about that 
other side. 

If you were to do a survey of everybody here on the panel and 
ask are you concerned about privacy on the Internet, of course we 
are concerned about it. But as Mr. Rotenberg said earlier, there is 
a tradeoff, and part of the tradeoff is still get my name, address, 
and telephone number for certain uses. But I think your bill brings 
certainty into the marketplace, and anytime there is certainty in 
the marketplace, that is a good thing and a plus for industry and 
a plus for consumers. 

Mr. Servidea. Mr. Chairman, I don’t — speaking for NCR and for 
the rest of the companies — I don’t really foresee a great expense in- 
volved in implementing H.R. 4678. I think most of the companies 
have already put in place the provisions that you are asking for 
here. I think with respect to the Senate bill, I think because of the 
fact that it differentiates so much between different types of infor- 
mation, as was pointed out — sensitive information, insensitive in- 
formation, on-line information versus off-line information, whereas 
most of our systems, most of our practices and procedures, are to 
treat data — as I said, data is data and we treat data pretty much 



58 


the same way. If we had to go back and try to refigure out how 
we are going to treat it, that is where the cost would come from. 

Mr. Schall. Sure, there are costs, and I would suspect we will 
all find they are much higher than we think, but we consider them 
to be legitimate costs. But I will give one example. One of our coali- 
tion companies, Check Free — California passed the law that this is 
how you deal with Social Security numbers in terms of financial 
transactions — required a change in the management system, 
$250,000 just in that State. One State, one company, and multiply 
that by every company in every State, sure the costs add up. But 
we considered the costs that would be associated with the changes 
outlined in this bill obviously are far lower than what you would 
see in the approach in S. 2201; higher costs which frankly wouldn’t 
result in any added benefit to consumers, and I think that is the 
real problem. 

And then to underscore the other point, what would be most ex- 
pensive for us and, of course, possibly impossible to comply with 
and no benefit to consumers, is to have some patchwork. We have 
to have any number of information systems to meet those par- 
ticular regulations. 

Ms. Whitener. I think most companies, as we look back at the 
ones who have been out front in this issue and have been moving 
forward with very effective security and privacy practices, have 
found that their investment in these practices has actually been 
creating returns, and that it can be used as a business enabler. 

Mr. Stearns. Cost of doing business. 

Ms. Whitener. It is a cost of doing business today. Companies 
need to understand what their customers and consumers are ask- 
ing for, what their needs and expectations are, and they have got 
to be able to respond quickly to those needs and expectations. And 
certainly privacy and security are certainly two of the demands 
that they are facing. So if you take away any type of compliance- 
driven initiatives, many companies today are working to meet their 
customers’ expectations for security and privacy, and they are find- 
ing that as they implement effective information handling and se- 
curity behind that, that that is enabling business processes and 
content sharing and more effective opportunities for revenue en- 
hancements than it had before. So if we look at the costs there, I 
do believe that you can see some rationalization of the costs as an 
investment and very proactive business practices. 

Ms. Barrett. On behalf of Acxiom Corporation, the costs are 
minimal to implement this bill. Most of the provisions are already 
industry practices and certainly practices that we think are appro- 
priate practices and that build consumer confidence. And I would 
echo the comments just previously made, that it is really about 
trust and not about compliance when it comes to building relation- 
ships with consumers. 

I think that where the cost of this bill may be borne by compa- 
nies that have not participated in self-regulatory programs or other 
programs and activities, then they will have the costs to implement 
the kinds of notices, choices, and security practices that many of 
us have had in place for a number of years. 



59 


Mr. Misener. Mr. Chairman, it is unlikely that H.R. 4678 would 
cause us to expend much and many resources to comply. It is not 
going to cause us to change our practices in any substantial ways. 
In fact, it is not even clear that S. 2201 would have those direct 
material costs on a company like Amazon.com, which already has 
had excellent privacy practices in place for quite some time. The 
costs of S. 2201 are not in the implementation side but more in the 
litigation side, defensive side. Defensive in two senses: One is de- 
fense from the litigators, and Mark will tell me who are consumers 
and not litigators. 

But the point is that consumers don’t view privacy as a vector, 
nor should they. Otherwise, we would wall ourselves off in 
cinderblock. They want a combination of privacy, convenience, se- 
lection, personalization, all the things that go along with that. And 
our goal is to try to serve the overall customer desire for shopping. 

The other aspect of this, of S. 2201’s potential costs on us, would 
simply be the competitive costs. If we are competing with on-line 
retailers, including the largest company in the entire world, if the 
same regulations are not applied to them as would be applied to 
us, we can see substantial competitive risks as well. 

Mr. Stearns. I assume you will send a letter of support for the 
bill then? We will use your testimony as an endorsement some- 
what. 

Mr. Rotenberg. I am still working on my letter, Mr. Chairman. 

Mr. Stearns. We will be waiting. 

Mr. Rotenberg. I think it is very important to keep in mind 
costs to consumers, because ultimately when you are talking about 
the protection of privacy, you are talking about the concerns that 
consumers have about the loss of privacy. And there can be hard 
costs in identity theft, which State attorneys general say now is the 
No. 1 white collar crime in America. There can be soft costs in the 
sense that the businesses you are dealing with in trying to estab- 
lish relations of trust are routinely taking your personal informa- 
tion and selling it to third parties for other purposes. Now, it is 
hard to put a price tag on that, but it is very real — I think the 
large problem here that needs to be solved. 

But I think what unites the consumer groups and business 
groups is the belief that the cost to consumers to participate in new 
services should not be their loss of privacy. They should not be 
asked to trade their privacy to be able to take advantage of oppor- 
tunities in the marketplace. And so I think we need a bill that 
minimizes that cost and lets people participate and safeguards 
their privacy. 

Mr. Stearns. I thank all of you for attending our hearing. And 
as we move forward, any of you who have not written a letter of 
support, we would appreciate it because that works in getting 
Members to come on the bill. 

The second point I would make is that what Mr. Shaw mentioned 
in California, there is going to be much more of an impetus to this 
get bill marked up and get it to be visible. I invited the chairman 
up. He is down in an oversight hearing on Global Crossing. But the 
bottom line is I need to convince more Members and the leadership 
of my party how important it is to get this as a benchmark before 



60 


we get all these communities and 50 States out there with a bill 
which will cause — talk about costs that was alluded to. 

So again, I think we made a good start and a lot of your testi- 
mony will help, I think, clear a lot of issues for Members and we 
will keep working on this. And with that the committee is ad- 
journed. 

[Whereupon, at 11:25 a.m., the subcommittee was adjourned.] 



